1.0 TLS disablement

cpwiki.net http://www.cpwiki.net/index.php/Main_Page MediaWiki 1.21.10 case-sensitive Media Special Talk User User talk Cpwiki.net Cpwiki.net talk File File talk MediaWiki MediaWiki talk Template Template talk Help Help talk Category Category talk 1.0 TLS disablement 0 246 825 2019-04-12T15:17:52Z Nighthawk 1 Created page with "TLS 1.1 and above configure sk102989 + sk120846" wikitext text/x-wiki TLS 1.1 and above configure sk102989 + sk120846 54e9f52343dbb693a2760789bd7391633a8d5029 12400 quick start guide 0 163 454 447 2014-05-12T06:34:06Z Nighthawk 1 /* connecting to the appliance for the first time */ wikitext text/x-wiki == connecting to the appliance for the first time == Gaia and SecurePlatform * The management interface is marked MGMT with a default IP address of 192.168.1.1 * default username and password: admin /admin * mgmt ip accessible via https and a web browser * check point instructions are to run the First Time Configuration Wizard by connecting with a browser * after the wizard run, it is available via CLI through the console or ssh. If you try to access it before running the Wizard, you get this error message This system is for authorized use only. login: admin Password: '''In order to configure your system, please access the Web UI and finish the First Time Wizard.''' lame... == front panel == [[file:12400_front.png]] == console == Configure the terminal emulation program settings: * Serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit. * Flow control is None. [[category:12000 series]] 447 446 2014-05-10T22:29:48Z Nighthawk 1 /* connecting to the appliance for the first time */ wikitext text/x-wiki == connecting to the appliance for the first time == Gaia and SecurePlatform * The management interface is marked MGMT with a default IP address of 192.168.1.1 * default username and password: admin /admin * mgmt ip accessible via https and a web browser * check point instructions are to run the First Time Configuration Wizard by connecting with a browser * after the wizard run, it is available via CLI through the console or ssh according to the documentation. I wonder if it is available before and runs a CLI wizard??? /shrug == front panel == [[file:12400_front.png]] == console == Configure the terminal emulation program settings: * Serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit. * Flow control is None. [[category:12000 series]] 446 445 2014-05-10T22:26:05Z Nighthawk 1 /* connecting to the appliance for the first time */ wikitext text/x-wiki == connecting to the appliance for the first time == Gaia and SecurePlatform * The management interface is marked MGMT with a default IP address of 192.168.1.1 * default username and password: admin /admin * mgmt ip accessible via ssh or https == front panel == [[file:12400_front.png]] == console == Configure the terminal emulation program settings: * Serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit. * Flow control is None. [[category:12000 series]] 445 443 2014-05-10T22:24:52Z Nighthawk 1 wikitext text/x-wiki == connecting to the appliance for the first time == Gaia and SecurePlatform * The management interface is marked MGMT. This interface is preconfigured with the IP address 192.168.1.1. * default username and password: admin /admin * mgmt ip accessible via ssh or https == front panel == [[file:12400_front.png]] == console == Configure the terminal emulation program settings: * Serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit. * Flow control is None. [[category:12000 series]] 443 441 2014-05-10T22:04:15Z Nighthawk 1 wikitext text/x-wiki == front panel == [[file:12400_front.png]] == console == Configure the terminal emulation program settings: * Serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit. * Flow control is None. [[category:12000 series]] 441 440 2014-05-10T22:03:28Z Nighthawk 1 wikitext text/x-wiki == console == Configure the terminal emulation program settings: * Serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit. * Flow control is None. [[category:12000 series]] 440 2014-05-10T21:45:36Z Nighthawk 1 Created page with " == console == Configure the terminal emulation program settings: * Serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit. * Flow control is None. [[category:12000..." wikitext text/x-wiki == console == Configure the terminal emulation program settings: * Serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit. * Flow control is None. [[category:12000 series]] 2 Down CMMs on 61000 chassis 0 131 335 334 2014-02-27T07:03:53Z Nighthawk 1 /* problem resolution */ wikitext text/x-wiki == problem description == '''symptoms''' '''1. "asg stat" shows 2 down CMMs and 0/2 up as seen here''' [Expert@61k_fw-ch01-01]# asg stat -------------------------------------------------------------------------- | System Status | -------------------------------------------------------------------------- | Up time | 1 year, 38 days, 23:14:58 hours | -------------------------------------------------------------------------- | Current CPUs load average | 1 % | | Concurrent connections | 5176 | | Health | '''CMMs 2 Down''' | -------------------------------------------------------------------------- | Chassis 1 | STANDBY UP / Required | | | SGMs 12 / 12 | | | Ports 2 / 2 | | | Fans 6 / 6 | | | SSMs 2 / 2 | | | '''CMMs 0 / 2 (!)''' | | | Power Supplies 5 / 5 | '''2. bay 1(bottom) CMM has red status light''' The bay1 CMM had a red status light...I am not sure which LED (act, ctr, pwe, mjr, hs, mnr) was red. I failed to gather that info from the onsite person helping me. bay2 LEDs were normal, none red. '''3. inter-chassis network connectivity to CMMs failing''' There were are no console cables plugged into the CMM cards for this device. So, no troubleshooting could be done there. The active CMM was not reachable via the CMM IPs 198.51.100.33 or 192.51.100.233. These are the IPs used on all 61000 devices for intercommunication with the CMMS. packet captures below show the CMM not responding to arp requests. listing of the chassis ports for CMM connectivity... [Expert@61k_fw-ch01-01]# ifconfig -a |grep -A 1 CIN eth1-CIN Link encap:Ethernet HWaddr 00:1C:7F:20:14:7C inet addr:198.51.100.1 Bcast:198.51.100.127 Mask:255.255.255.128 eth2-CIN Link encap:Ethernet HWaddr 00:1C:7F:20:14:7D inet addr:198.51.100.201 Bcast:198.51.100.255 Mask:255.255.255.128 packet capture taken on CMM networks show arp requests but no replies. Neither CMM appears to be responding on their network connection. [Expert@61k_fw-ch01-01]# tcpdump -i eth2-CIN tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2-CIN, link-type EN10MB (Ethernet), capture size 96 bytes 05:37:25.865315 arp who-has 198.51.100.233 tell 198.51.100.204 05:37:26.864981 arp who-has 198.51.100.233 tell 198.51.100.204 05:37:27.864873 arp who-has 198.51.100.233 tell 198.51.100.204 05:37:29.467760 arp who-has 198.51.100.233 tell 198.51.100.204 ... [Expert@61k_fw-ch01-01]# tcpdump -i eth1-CIN tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1-CIN, link-type EN10MB (Ethernet), capture size 96 bytes 05:38:01.206437 arp who-has 198.51.100.33 tell 198.51.100.1 05:38:02.206092 arp who-has 198.51.100.33 tell 198.51.100.1 05:38:04.143829 arp who-has 198.51.100.33 tell 198.51.100.1 == problem resolution == Due to the lack of CMM console cables and telnet/ssh connectivity, we resorted to physically resetting the cards one at a time. They were physically reset by pulling them out and then re-inserting them. First bay 1, then bay 2. After resetting bay 1, there was no change in status. After resetting bay2, then the red error status light on bay1 went green. Also the CMM status changed from 0/2 up to 2/2 up as seen below. [Expert@61k_fw-ch01-01]# asg stat | grep -i -E "chassis|cmms" | Chassis 1 | STANDBY UP / Required | | | CMMs 2 / 2 | == root cause == root cause undetermined [[category:61000]] 334 2014-02-27T07:02:30Z Nighthawk 1 Created page with " == problem description == '''symptoms''' '''1. "asg stat" shows 2 down CMMs and 0/2 up as seen here''' [Expert@61k_fw-ch01-01]# asg stat ---------------------------------..." wikitext text/x-wiki == problem description == '''symptoms''' '''1. "asg stat" shows 2 down CMMs and 0/2 up as seen here''' [Expert@61k_fw-ch01-01]# asg stat -------------------------------------------------------------------------- | System Status | -------------------------------------------------------------------------- | Up time | 1 year, 38 days, 23:14:58 hours | -------------------------------------------------------------------------- | Current CPUs load average | 1 % | | Concurrent connections | 5176 | | Health | '''CMMs 2 Down''' | -------------------------------------------------------------------------- | Chassis 1 | STANDBY UP / Required | | | SGMs 12 / 12 | | | Ports 2 / 2 | | | Fans 6 / 6 | | | SSMs 2 / 2 | | | '''CMMs 0 / 2 (!)''' | | | Power Supplies 5 / 5 | '''2. bay 1(bottom) CMM has red status light''' The bay1 CMM had a red status light...I am not sure which LED (act, ctr, pwe, mjr, hs, mnr) was red. I failed to gather that info from the onsite person helping me. bay2 LEDs were normal, none red. '''3. inter-chassis network connectivity to CMMs failing''' There were are no console cables plugged into the CMM cards for this device. So, no troubleshooting could be done there. The active CMM was not reachable via the CMM IPs 198.51.100.33 or 192.51.100.233. These are the IPs used on all 61000 devices for intercommunication with the CMMS. packet captures below show the CMM not responding to arp requests. listing of the chassis ports for CMM connectivity... [Expert@61k_fw-ch01-01]# ifconfig -a |grep -A 1 CIN eth1-CIN Link encap:Ethernet HWaddr 00:1C:7F:20:14:7C inet addr:198.51.100.1 Bcast:198.51.100.127 Mask:255.255.255.128 eth2-CIN Link encap:Ethernet HWaddr 00:1C:7F:20:14:7D inet addr:198.51.100.201 Bcast:198.51.100.255 Mask:255.255.255.128 packet capture taken on CMM networks show arp requests but no replies. Neither CMM appears to be responding on their network connection. [Expert@61k_fw-ch01-01]# tcpdump -i eth2-CIN tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2-CIN, link-type EN10MB (Ethernet), capture size 96 bytes 05:37:25.865315 arp who-has 198.51.100.233 tell 198.51.100.204 05:37:26.864981 arp who-has 198.51.100.233 tell 198.51.100.204 05:37:27.864873 arp who-has 198.51.100.233 tell 198.51.100.204 05:37:29.467760 arp who-has 198.51.100.233 tell 198.51.100.204 ... [Expert@61k_fw-ch01-01]# tcpdump -i eth1-CIN tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1-CIN, link-type EN10MB (Ethernet), capture size 96 bytes 05:38:01.206437 arp who-has 198.51.100.33 tell 198.51.100.1 05:38:02.206092 arp who-has 198.51.100.33 tell 198.51.100.1 05:38:04.143829 arp who-has 198.51.100.33 tell 198.51.100.1 == problem resolution == Due to the lack of CMM console cables and telnet/ssh connectivity, we resorted to physically resetting the cards one at a time. . First bay 1, then bay 2. After resetting bay 1, there was no change in status. After resetting bay2, then the red error status light on bay1 went green. Also the CMM status changed from 0/2 up to 2/2 up as seen below. [Expert@61k_fw-ch01-01]# asg stat | grep -i -E "chassis|cmms" | Chassis 1 | STANDBY UP / Required | | | CMMs 2 / 2 | == root cause == root cause undetermined [[category:61000]] 61000 Chassis Management Module (CMM) - diagram and LED descriptions 0 137 355 2014-03-08T05:29:54Z Nighthawk 1 Created page with "[[file:61000_cmm_diagram-desc.png]] [[category:61000]]" wikitext text/x-wiki [[file:61000_cmm_diagram-desc.png]] [[category:61000]] 61000 O.S. global commands 0 174 493 491 2014-06-06T20:52:38Z Nighthawk 1 wikitext text/x-wiki == OS global commands == Description: The global commands are utilities to run certain commands on multiple SGMs. This document is dealing with Operating System related commands, those utilities are mostly an extended wrapper to known UNIX commands (like ls, cp, tcpdump...). They are available in glish and bash as follows... [[file:61k_global_cmds.png]] [[category:61000]] 491 2014-06-06T20:51:20Z Nighthawk 1 Created page with " == OS global commands == Description: The global commands are utilities to run certain commands on multiple SGMs. This document is dealing with Operating System related com..." wikitext text/x-wiki == OS global commands == Description: The global commands are utilities to run certain commands on multiple SGMs. This document is dealing with Operating System related commands, those utilities are mostly an extended wrapper to known UNIX commands (like ls, cp, tcpdump...). [[category:61000]] 61000 Security System Front Panel Modules - diagram and descriptions 0 134 353 351 2014-03-08T05:23:59Z Nighthawk 1 wikitext text/x-wiki [[file:61000_front_panel.png]] [[file:61000_front_panel_description.png]] [[category:61000]] 351 350 2014-03-08T05:18:59Z Nighthawk 1 wikitext text/x-wiki [[file:61000_front_panel.png]] [[category:61000]] 350 2014-03-08T05:18:45Z Nighthawk 1 Created page with "[file:61000_front_panel.png] [[category:61000]]" wikitext text/x-wiki [file:61000_front_panel.png] [[category:61000]] 61000 get cmm firmware version 0 143 384 2014-03-25T15:24:30Z Nighthawk 1 Created page with " [Expert@my61k]# '''asg_version''' +--------------------------------------------------------------------------+ | Hardware Versions ..." wikitext text/x-wiki [Expert@my61k]# '''asg_version''' +--------------------------------------------------------------------------+ | Hardware Versions | +--------------------------------------------------------------------------+ | Component | Configuration | Firmware | +--------------------------------------------------------------------------+ | Chassis 1 | +--------------------------------------------------------------------------+ | SSM1 | dflt_startup.cfg | 7.5.20 | | SSM2 | dflt_startup.cfg | 7.5.20 | | '''CMM | N/A | 2.83''' | +--------------------------------------------------------------------------+ | Chassis 2 | +--------------------------------------------------------------------------+ | SSM1 | dflt_startup.cfg | 7.5.20 | | SSM2 | dflt_startup.cfg | 7.5.20 | | '''CMM | N/A | 2.70''' | +--------------------------------------------------------------------------+ ... [[category:61k]] 61k CMM 0 129 549 548 2015-01-14T16:20:37Z Nighthawk 1 wikitext text/x-wiki '''Chassis Management Module CLI''' The Chassis Management Module (CMM) monitors and controls hardware modules in the chassis. Communication with a CMM occurs via SNMP requests from the SMO SGM. If a hardware sensor reports a problem the CMM automatically takes action or sends a report. CMMs also have a command line interface. [[There are two ways to connect a CMM CLI:]] 1) Connect to the serial port on the front panel of the CMM * In your terminal emulation program, set the baud rate to 9600 * Enter admin for the user name and password OR 2) Open a telnet or SSH session from one of the SGMs * First make sure that you have connectivity to the CMMs by pinging both addresses: 198.51.100.33 (routed via SSM1) 198.51.100.233 (routed from SSM2) * Telnet or ssh from the SGM to the CMM * Enter admin for the user name and password note - the information above is base on default configurations [[category:61k]] 548 322 2015-01-14T16:20:30Z Nighthawk 1 wikitext text/x-wiki '''Chassis Management Module CLI''' The Chassis Management Module (CMM) monitors and controls hardware modules in the chassis. Communication with a CMM occurs via SNMP requests from the SMO SGM. If a hardware sensor reports a problem the CMM automatically takes action or sends a report. CMMs also have a command line interface. [[There are two ways to connect a CMM CLI:]] 1) Connect to the serial port on the front panel of the CMM * In your terminal emulation program, set the baud rate to 9600 * Enter admin for the user name and password OR 2) Open a telnet or SSH session from one of the SGMs * First make sure that you have connectivity to the CMMs by pinging both addresses: 198.51.100.33 (routed via SSM1) 198.51.100.233 (routed from SSM2) * Telnet or ssh from the SGM to the CMM * Enter admin for the user name and password note - the information above is base on default configurations [[category:61k]] 322 321 2013-12-11T06:24:02Z Nighthawk 1 wikitext text/x-wiki '''Chassis Management Module CLI''' The Chassis Management Module (CMM) monitors and controls hardware modules in the chassis. Communication with a CMM occurs via SNMP requests from the SMO SGM. If a hardware sensor reports a problem the CMM automatically takes action or sends a report. CMMs also have a command line interface. [[There are two ways to connect a CMM CLI:]] 1) Connect to the serial port on the front panel of the CMM * In your terminal emulation program, set the baud rate to 9600 * Enter admin for the user name and password OR 2) Open a telnet or SSH session from one of the SGMs * First make sure that you have connectivity to the CMMs by pinging both addresses: 198.51.100.33 (routed via SSM1) 198.51.100.233 (routed from SSM2) * Telnet or ssh from the SGM to the CMM * Enter admin for the user name and password [[category:61k]] 321 2013-12-11T06:18:52Z Nighthawk 1 Created page with "Chassis Management Module CLI The Chassis Management Module (CMM) monitors and controls hardware modules in the chassis. Communication with a CMM occurs via SNMP requests from..." wikitext text/x-wiki Chassis Management Module CLI The Chassis Management Module (CMM) monitors and controls hardware modules in the chassis. Communication with a CMM occurs via SNMP requests from the SMO SGM. If a hardware sensor reports a problem the CMM automatically takes action or sends a report. CMMs also have a command line interface. There are two ways to connect a CMM CLI:  Connect to the serial port on the front panel of the CMM o In your terminal emulation program, set the baud rate to 9600 o Enter admin for the user name and password  Open a telnet or SSH session from one of the SGMs o First make sure that you have connectivity to the CMMs by pinging both addresses:  198.51.100.33 (routed via SSM1)  198.51.100.233 (routed from SSM2) o Telnet or ssh from the SGM to the CMM o Enter admin for the user name and password Adding drives to nokia firewall 0 6 7 2013-02-25T22:09:19Z Nighthawk 1 Created page with "Below is a console/terminal log of a new hard drive being installed, replacing a failed drive, and being added back to the raid mirror. BOOTMGR[4]> sysinfo CPU 0: 2660 MHz..." wikitext text/x-wiki Below is a console/terminal log of a new hard drive being installed, replacing a failed drive, and being added back to the raid mirror. BOOTMGR[4]> sysinfo CPU 0: 2660 MHz Intel(R) Xeon(R) CPU E5430 @ 2.66GHz Memory: 2663497728 (2048M bytes) Disk Devices: IO port 0x1f0 adc0: unit 0 (ad0): <STEC M2+ CF 9.0.2> 128MB (250880 sectors), 980 cyls, 8 heads, 32 S/T SCSI-DISK-A (da0): <ATA FUJITSU MHY2080B 010C> 80026MB (156301488 sectors), 9729 cyls, 255 heads, 63 S/T, 512 B/S SCSI-DISK-B (da1): <ATA FUJITSU MHY2080B 010C> 80026MB (156301488 sectors), 9729 cyls, 255 heads, 63 S/T, 512 B/S Network Interfaces: eth-s4p1: flags=130<BROADCAST,MULTICAST,PRESENT> ether 00:a0:8e:c0:c2:f4 half duplex eth-s4p2: flags=130<BROADCAST,MULTICAST,PRESENT> ether 00:a0:8e:c0:c2:f5 half duplex eth-s4p3: flags=130<BROADCAST,MULTICAST,PRESENT> ether 00:a0:8e:c0:c2:f6 half duplex eth-s4p4: flags=130<BROADCAST,MULTICAST,PRESENT> ether 00:a0:8e:c0:c2:f7 half duplex loop0: flags=10b<UP,LINK,LOOPBACK,PRESENT> tun0: flags=107<UP,LINK,POINTOPOINT,PRESENT> BOOTMGR[5]> raid ======================================================== IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 ======================================================== Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 ======================================================== 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT ======================================================== Choose an option: 1 =================== RAID MENU ========================== 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu ======================================================== Choose an option: 30 B___T___L Type Serial Product Rev Blocks Disk MB 1. 0 0 0 Disk K449T8825xxx FUJITSU MHY2080B 010C 156301488 76319 2. 0 1 0 Disk K449T8625yyy FUJITSU MHY2080B 010C 156301488 76319 To create a volume, select two or more of the available targets The first selection will be Migrated as MASTER, keeping the data Select the primary drive : [1-2 or RETURN to quit] 1 Select a secondary drive : [1-2 or RETURN to quit] 2 2 physical disks were created Setting volume type: [0=Mirroring] Setting volume size: 76158 MB Enabled write caching by default. Volume was created Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done =================== RAID MENU ========================== 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu ======================================================== Choose an option: 1 ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: degraded, enabled, resync in progress Volume Settings: write caching enabled, auto configure Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) =================== RAID MENU ========================== 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu ======================================================== Choose an option: q ======================================================== 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT ======================================================== Choose an option: q Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. BOOTMGR[13]> sysinfo CPU 0: 2660 MHz Intel(R) Xeon(R) CPU E5430 @ 2.66GHz Memory: 2663497728 (2048M bytes) Disk Devices: IO port 0x1f0 adc0: unit 0 (ad0): <STEC M2+ CF 9.0.2> 128MB (250880 sectors), 980 cyls, 8 heads, 32 S/T DISK-A-B Volume (da0): <LSILOGIC Logical Volume 3000> 79857MB (155971584 sectors), 9708 cyls, 255 heads, 63 S/T, 512 B/S Network Interfaces: eth-s4p1: flags=130<BROADCAST,MULTICAST,PRESENT> ether 00:a0:8e:c0:c2:f4 half duplex eth-s4p2: flags=130<BROADCAST,MULTICAST,PRESENT> ether 00:a0:8e:c0:c2:f5 half duplex eth-s4p3: flags=130<BROADCAST,MULTICAST,PRESENT> ether 00:a0:8e:c0:c2:f6 half duplex eth-s4p4: flags=130<BROADCAST,MULTICAST,PRESENT> ether 00:a0:8e:c0:c2:f7 half duplex loop0: flags=10b<UP,LINK,LOOPBACK,PRESENT> tun0: flags=107<UP,LINK,POINTOPOINT,PRESENT> [[category:nokia]] Assign cma list to variable 0 5 6 2013-02-25T22:04:56Z Nighthawk 1 Created page with "Assign cma list to an array variable for use in a script check point command: mdsstat | grep CMA | sed -e 's/|//g' | awk '{printf $2 " " }' bash example: assign to variabl..." wikitext text/x-wiki Assign cma list to an array variable for use in a script check point command: mdsstat | grep CMA | sed -e 's/|//g' | awk '{printf $2 " " }' bash example: assign to variable CMA_LIST=$(mdsstat | grep CMA | sed -e 's/|//g' | awk '{printf $2 " " }') access the first variable via index 0 ${CMA_CMA[0]} [[category:scripting]] CLI upgrade guide for R75.40 SPLAT to R75.40 Gaia 0 116 455 453 2014-05-12T18:31:36Z Nighthawk 1 wikitext text/x-wiki why would you bother to upgrade just the O.S. and not the CP version? In this case, the goal was to get to Gaia to use VRRP instead of CPHA and we didn't feel like upgrading the SmartCenter which as R75.40. using the CLI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall There are multiple ISO images from Check Point with the same name as above. md5 for media used here... # md5sum Check_Point_R75.40_Gaia.iso '''e5074b92c37a165ef940cb34c1725511''' 2. mount the media [Expert@chkpfw2]# '''mount /mnt/cdrom''' or [Expert@chkpfw2]# '''mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/cdrom''' 3. verify backup status cphaprob stat 4. uninstall something... The upgrade wrapper script will force us to chose a new product to install, so uninstall something simple. I chose Performance Pack. [Expert@chkpfw2]# '''rpm -e CPppak-R75.40-00''' 5. Start upgrade [Expert@chkpfw2]# '''patch add cd''' 6. Reboot 7. Install policy 8. Failover cpha. CPHA will still function since we haven't changed softare versions. 9. Test traffic flows. 10. repeat steps 1-7 on the other offline firewall. 11. setup vrrp on both firewalls. some downtime with result. http://www.cpwiki.net/index.php/gaia_vrrp_setup_using_CLI 12. Edit local.arp. Replace the old unicast MAC addresses used by CPHA with the VMAC address associated with the VRRP backup-addresses. 13. re-install policy 14. check proxy arps on both firewalls # fw ctl arp 15. validate traffic flows through the firewalls 453 452 2014-05-11T04:02:19Z Nighthawk 1 wikitext text/x-wiki why would you bother to upgrade just the O.S. and not the CP version? In this case, the goal was to get to Gaia to use VRRP instead of CPHA and we didn't feel like upgrading the SmartCenter which as R75.40. using the CLI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall There are multiple ISO images from Check Point with the same name as above. md5 for media used here... # md5sum Check_Point_R75.40_Gaia.iso '''e5074b92c37a165ef940cb34c1725511''' 2. mount the media [Expert@chkpfw2]# '''mount /mnt/cdrom''' or [Expert@chkpfw2]# '''mkdir /mnt/iso''' [Expert@chkpfw2]# '''mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/iso''' 3. verify backup status cphaprob stat 4. uninstall something... The upgrade wrapper script will force us to chose a new product to install, so uninstall something simple. I chose Performance Pack. [Expert@chkpfw2]# '''rpm -e CPppak-R75.40-00''' 5. Start upgrade [Expert@chkpfw2]# '''patch add cd''' 6. Reboot 7. Install policy 8. Failover cpha. CPHA will still function since we haven't changed softare versions. 9. Test traffic flows. 10. repeat steps 1-7 on the other offline firewall. 11. setup vrrp on both firewalls. some downtime with result. http://www.cpwiki.net/index.php/gaia_vrrp_setup_using_CLI 12. Edit local.arp. Replace the old unicast MAC addresses used by CPHA with the VMAC address associated with the VRRP backup-addresses. 13. re-install policy 14. check proxy arps on both firewalls # fw ctl arp 15. validate traffic flows through the firewalls 452 246 2014-05-11T04:00:38Z Nighthawk 1 moved [[upgrading R75.40 SPLAT to R75.40 Gaia]] to [[CLI upgrade guide for R75.40 SPLAT to R75.40 Gaia]] wikitext text/x-wiki using the CLI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall There are multiple ISO images from Check Point with the same name as above. md5 for media used here... # md5sum Check_Point_R75.40_Gaia.iso '''e5074b92c37a165ef940cb34c1725511''' 2. mount the media [Expert@chkpfw2]# '''mount /mnt/cdrom''' or [Expert@chkpfw2]# '''mkdir /mnt/iso''' [Expert@chkpfw2]# '''mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/iso''' 3. verify backup status cphaprob stat 4. uninstall something... The upgrade wrapper script will force us to chose a new product to install, so uninstall something simple. I chose Performance Pack. [Expert@chkpfw2]# '''rpm -e CPppak-R75.40-00''' 5. Start upgrade [Expert@chkpfw2]# '''patch add cd''' 6. Reboot 7. Install policy 8. Failover cpha. CPHA will still function since we haven't changed softare versions. 9. Test traffic flows. 10. repeat steps 1-7 on the other offline firewall. 11. setup vrrp on both firewalls. some downtime with result. http://www.cpwiki.net/index.php/gaia_vrrp_setup_using_CLI 12. Edit local.arp. Replace the old unicast MAC addresses used by CPHA with the VMAC address associated with the VRRP backup-addresses. 13. re-install policy 14. check proxy arps on both firewalls # fw ctl arp 15. validate traffic flows through the firewalls 246 245 2013-09-15T03:47:09Z Nighthawk 1 wikitext text/x-wiki using the CLI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall There are multiple ISO images from Check Point with the same name as above. md5 for media used here... # md5sum Check_Point_R75.40_Gaia.iso '''e5074b92c37a165ef940cb34c1725511''' 2. mount the media [Expert@chkpfw2]# '''mount /mnt/cdrom''' or [Expert@chkpfw2]# '''mkdir /mnt/iso''' [Expert@chkpfw2]# '''mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/iso''' 3. verify backup status cphaprob stat 4. uninstall something... The upgrade wrapper script will force us to chose a new product to install, so uninstall something simple. I chose Performance Pack. [Expert@chkpfw2]# '''rpm -e CPppak-R75.40-00''' 5. Start upgrade [Expert@chkpfw2]# '''patch add cd''' 6. Reboot 7. Install policy 8. Failover cpha. CPHA will still function since we haven't changed softare versions. 9. Test traffic flows. 10. repeat steps 1-7 on the other offline firewall. 11. setup vrrp on both firewalls. some downtime with result. http://www.cpwiki.net/index.php/gaia_vrrp_setup_using_CLI 12. Edit local.arp. Replace the old unicast MAC addresses used by CPHA with the VMAC address associated with the VRRP backup-addresses. 13. re-install policy 14. check proxy arps on both firewalls # fw ctl arp 15. validate traffic flows through the firewalls 245 244 2013-09-14T15:20:39Z Nighthawk 1 wikitext text/x-wiki using the CLI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall There are multiple ISO images from Check Point with the same name as above. md5 for media used here... # md5sum Check_Point_R75.40_Gaia.iso '''e5074b92c37a165ef940cb34c1725511''' 2. mount the media [Expert@chkpfw2]# '''mount /mnt/cdrom''' or [Expert@chkpfw2]# '''mkdir /mnt/iso''' [Expert@chkpfw2]# '''mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/iso''' 3. verify backup status cphaprob stat 4. uninstall something... The upgrade wrapper script will force us to chose a new product to install, so uninstall something simple. I chose Performance Pack. [Expert@chkpfw2]# '''rpm -e CPppak-R75.40-00''' 5. Start upgrade [Expert@chkpfw2]# '''patch add cd''' 6. Reboot 7. Install policy 8. Failover cpha. CPHA will still function since we haven't changed softare versions. 9. Test traffic flows. 10. repeat steps 1-7 on the other offline firewall. 11. setup vrrp on both firewalls. some downtime with result. http://www.cpwiki.net/index.php/gaia_vrrp_setup_using_CLI 12. Edit local.arp. Replace the old unicast MAC addresses used by CPHA with the VMAC address associated with the VRRP backup-addresses. 13. re-install policy 14. check proxy arps on both firewalls # fw ctl arp 15. validate traffic flows through the firewalls 244 242 2013-09-14T15:20:25Z Nighthawk 1 wikitext text/x-wiki using the CLI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall There are multiple ISO images from Check Point with the same name as above. md5 for media # md5sum Check_Point_R75.40_Gaia.iso '''e5074b92c37a165ef940cb34c1725511''' 2. mount the media [Expert@chkpfw2]# '''mount /mnt/cdrom''' or [Expert@chkpfw2]# '''mkdir /mnt/iso''' [Expert@chkpfw2]# '''mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/iso''' 3. verify backup status cphaprob stat 4. uninstall something... The upgrade wrapper script will force us to chose a new product to install, so uninstall something simple. I chose Performance Pack. [Expert@chkpfw2]# '''rpm -e CPppak-R75.40-00''' 5. Start upgrade [Expert@chkpfw2]# '''patch add cd''' 6. Reboot 7. Install policy 8. Failover cpha. CPHA will still function since we haven't changed softare versions. 9. Test traffic flows. 10. repeat steps 1-7 on the other offline firewall. 11. setup vrrp on both firewalls. some downtime with result. http://www.cpwiki.net/index.php/gaia_vrrp_setup_using_CLI 12. Edit local.arp. Replace the old unicast MAC addresses used by CPHA with the VMAC address associated with the VRRP backup-addresses. 13. re-install policy 14. check proxy arps on both firewalls # fw ctl arp 15. validate traffic flows through the firewalls 242 241 2013-09-13T21:58:35Z Nighthawk 1 wikitext text/x-wiki using the CLI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall 2. mount the media [Expert@chkpfw2]# '''mount /mnt/cdrom''' or [Expert@chkpfw2]# '''mkdir /mnt/iso''' [Expert@chkpfw2]# '''mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/iso''' 3. verify backup status cphaprob stat 4. uninstall something... The upgrade wrapper script will force us to chose a new product to install, so uninstall something simple. I chose Performance Pack. [Expert@chkpfw2]# '''rpm -e CPppak-R75.40-00''' 5. Start upgrade [Expert@chkpfw2]# '''patch add cd''' 6. Reboot 7. Install policy 8. Failover cpha. CPHA will still function since we haven't changed softare versions. 9. Test traffic flows. 10. repeat steps 1-7 on the other offline firewall. 11. setup vrrp on both firewalls. some downtime with result. http://www.cpwiki.net/index.php/gaia_vrrp_setup_using_CLI 12. Edit local.arp. Replace the old unicast MAC addresses used by CPHA with the VMAC address associated with the VRRP backup-addresses. 13. re-install policy 14. check proxy arps on both firewalls # fw ctl arp 15. validate traffic flows through the firewalls 241 240 2013-09-13T21:57:55Z Nighthawk 1 wikitext text/x-wiki using the CLI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall 2. mount the media [Expert@chkpfw2]# '''mount /mnt/cdrom''' or [Expert@chkpfw2]# '''mkdir /mnt/iso''' [Expert@chkpfw2]# '''mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/iso''' 3. verify backup status cphaprob stat 4. uninstall something... The upgrade wrapper script will force us to chose a new product to install, so uninstall something simple. I chose Performance Pack. [Expert@chkpfw2]# '''rpm -e CPppak-R75.40-00''' 5. Start upgrade [Expert@chkpfw2]# '''patch add cd''' 6. Reboot 7. Install policy 8. Failover cpha. CPHA will still function since we haven't changed softare versions. 9. Test traffic flows. 10. repeat steps 1-7 on the other offline firewall. 11. setup vrrp on both firewalls. some downtime with result. http://www.cpwiki.net/index.php/gaia_vrrp_setup_using_CLI 12. Edit local.arp. Replace the old unicast MAC addresses used by CPHA with the VMAC address associated with the VRRP backup-addresses. 13. re-install policy 14. check proxy arps on both firewalls # fw ctl arp 240 222 2013-09-13T21:51:50Z Nighthawk 1 wikitext text/x-wiki using the CLI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall 2. mount the media [Expert@chkpfw2]# '''mount /mnt/cdrom''' or [Expert@chkpfw2]# '''mkdir /mnt/iso''' [Expert@chkpfw2]# '''mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/iso''' 3. verify backup status cphaprob stat 4. uninstall something... The upgrade wrapper script will force us to chose a new product to install, so uninstall something simple. I chose Performance Pack. [Expert@chkpfw2]# '''rpm -e CPppak-R75.40-00''' 5. Start upgrade [Expert@chkpfw2]# '''patch add cd''' 6. Reboot 7. Install policy 8. Failover cpha 9. Edit local.arp. Replace the old unicast MAC addresses used by CPHA with the VMAC address associated with the VRRP backup-addresses. 222 221 2013-09-13T07:07:09Z Nighthawk 1 wikitext text/x-wiki using the CLI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall 2. mount the media [Expert@chkpfw2]# '''mount /mnt/cdrom''' or [Expert@chkpfw2]# '''mkdir /mnt/iso''' [Expert@chkpfw2]# '''mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/iso''' 3. verify backup status cphaprob stat 4. uninstall something... The upgrade wrapper script will force us to chose a new product to install, so uninstall something simple. I chose Performance Pack. [Expert@chkpfw2]# '''rpm -e CPppak-R75.40-00''' 4. Start upgrade [Expert@chkpfw2]# '''patch add cd''' 5. Reboot 6. Install policy 7. Failover cpha 221 216 2013-09-13T07:05:33Z Nighthawk 1 wikitext text/x-wiki using the WebUI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall 2. mount the media [Expert@chkpfw2]# mount /mnt/cdrom or [Expert@chkpfw2]# mkdir /mnt/iso [Expert@chkpfw2]# mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/iso 3. verify backup status cphaprob stat 4. uninstall something... The upgrade wrapper script will force us to chose a new product to install, so uninstall something simple. I chose Performance Pack. [Expert@chkpfw2]# rpm -e CPppak-R75.40-00 4. Start upgrade [Expert@chkpfw2]# patch add cd 5. Reboot 6. Install policy 7. Failover cpha 216 215 2013-09-13T06:38:48Z Nighthawk 1 wikitext text/x-wiki using the WebUI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall 2. mount the media [Expert@chkpfw2]# mount /mnt/cdrom or [Expert@chkpfw2]# mkdir /mnt/iso [Expert@chkpfw2]# mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/iso 3. verify backup status cphaprob stat 4. Start upgrade [Expert@chkpfw2]# patch add cd 5. Reboot 6. Install policy 7. Failover cpha 215 214 2013-09-13T03:27:49Z Nighthawk 1 wikitext text/x-wiki using the WebUI... 1. upload the Check_Point_R75.40_Gaia.iso file or insert media into the firewall 2. mount the media [Expert@chkpfw2]# mount /mnt/cdrom or [Expert@chkpfw2]# mkdir /mnt/iso [Expert@chkpfw2]# mount -o loop /var/tmp/Check_Point_R75.40_Gaia.iso /mnt/iso 3. verify backup status cphaprob stat 4. Start upgrade [Expert@chkpfw2]# patch add cd 214 2013-09-12T21:06:44Z Nighthawk 1 Created page with "using the WebUI... 1. Download upgrade file Check_Point_Upgrade_for_R75.40.Splat_to_Gaia.tgz from check point website md5sum 3cfe6ba51cf3cc19bacecaad2bad555e 2. Connect a ..." wikitext text/x-wiki using the WebUI... 1. Download upgrade file Check_Point_Upgrade_for_R75.40.Splat_to_Gaia.tgz from check point website md5sum 3cfe6ba51cf3cc19bacecaad2bad555e 2. Connect a browser to the Check Point WebUI interface on port 443. Device > Upgrade > 2. Select the upgrade package file CLM object settings 0 204 615 614 2017-04-16T19:02:39Z Nighthawk 1 wikitext text/x-wiki CLM objects_5_0.C settings for some log stuff ==logs > storage== :log_delete_below_metrics (percent) :log_delete_below_value (5) :log_delete_on_below (true) :log_delete_on_run_script (false) :log_delete_script_command () :log_keep_days_value (30) :log_keep_on_days (true) ===index files (smartlog)=== :index_delete_above_size (false) :index_delete_above_size_metrics (percent) :index_delete_above_size_value (30) :index_delete_older_than (true) :index_delete_older_than_value (14) ==smartlog enabled== :log_indexer (true) 50f756471bea49537584aca36e2e666943cacbd0 614 2017-04-16T19:00:10Z Nighthawk 1 Created page with "CLM objects_5_0.C settings for some log stuff ==logs > storage== :log_delete_below_metrics (percent) :log_delete_below_value (5) :log_delete_on_..." wikitext text/x-wiki CLM objects_5_0.C settings for some log stuff ==logs > storage== :log_delete_below_metrics (percent) :log_delete_below_value (5) :log_delete_on_below (true) :log_delete_on_run_script (false) :log_delete_script_command () :log_keep_days_value (30) :log_keep_on_days (true) ===index files (smartlog)== :index_delete_above_size (false) :index_delete_above_size_metrics (percent) :index_delete_above_size_value (30) :index_delete_older_than (true) :index_delete_older_than_value (14) ==smartlog enabled== :log_indexer (true) 633a88ee15d3fb6f003a49abc18f167affab6470 CMA login failure regarding permissions 0 111 203 202 2013-08-07T07:49:53Z Nighthawk 1 wikitext text/x-wiki == symptoms== '''SmartDashboard Error Message:''' "Read/Write permission are required in order to connect in this mode" '''Domain Manager / MDG:''' hangs at "Loading Administrators..." '''fwm debug message:''' [FWM 10581 1962781312]@mds1[7 Aug 7:29:06] Failed to initialize administrators profiles == Solution == '''sk71921''' # mdsstop -m # cp $MDSDIR/mdsdb/admin_permissions_profiles.C $MDSDIR/mdsdb/admin_permissions_profiles.C.backup2 # cp $MDSDIR/mdsdb/admin_permissions_profiles.C.backup $MDSDIR/mdsdb/admin_permissions_profiles.C # mdsstart -m logins via MDG and SmartDashboard function again. [[category:provider-1]] 202 201 2013-08-07T07:49:39Z Nighthawk 1 wikitext text/x-wiki == symptoms== '''SmartDashboard Error Message:''' "Read/Write permission are required in order to connect in this mode" '''Domain Manager / MDG:''' hangs at "Loading Administrators..." '''fwm debug message:''' [FWM 10581 1962781312]@mds1[7 Aug 7:29:06] Failed to initialize administrators profiles == Solution == '''sk71921''' # mdsstop -m # cp $MDSDIR/mdsdb/admin_permissions_profiles.C $MDSDIR/mdsdb/admin_permissions_profiles.C.backup2 # cp $MDSDIR/mdsdb/admin_permissions_profiles.C.backup $MDSDIR/mdsdb/admin_permissions_profiles.C # mdsstart -m logins via MDG and SmartDashboard function again. [[category:provider-1]] 201 2013-08-07T07:48:43Z Nighthawk 1 Created page with " == symptoms== '''SmartDashboard Error Message''' "Read/Write permission are required in order to connect in this mode" '''Domain Manager / MDG''' hangs at "Loading Adminis..." wikitext text/x-wiki == symptoms== '''SmartDashboard Error Message''' "Read/Write permission are required in order to connect in this mode" '''Domain Manager / MDG''' hangs at "Loading Administrators..." fwm debug message [FWM 10581 1962781312]@mds1[7 Aug 7:29:06] Failed to initialize administrators profiles == Solution == '''sk71921''' # mdsstop -m # cp $MDSDIR/mdsdb/admin_permissions_profiles.C $MDSDIR/mdsdb/admin_permissions_profiles.C.backup2 # cp $MDSDIR/mdsdb/admin_permissions_profiles.C.backup $MDSDIR/mdsdb/admin_permissions_profiles.C # mdsstart -m logins via MDG and SmartDashboard function again. [[category:provider-1]] CMA status is "Stopped" in MDG 0 12 13 2013-02-25T22:39:33Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki Solution ID: sk35378 Product: Multi-Domain Management / Provider-1 Version: NGX R65, R70 Last Modified: 07-Jul-2008 Symptoms CMA status in MDG is "Stopped". User cannot connect to the CMA from the MDG. No problem connecting to the CMA directly via SmartDashboard. Cause applications.C* and CPMILinks* files have been corrupted. Solution To resolve this issue, remove the applications.C* and CPMILinksMgr.* files from the CMA. Proceed as follows: Change the environment to the relevant CMA and check the environment location: # mdsenv CMA_name # echo $FWDIR Note: The user can also use the command # mdsenv IP Stop the relevant CMA and check its status: # mdsstop_customer CMA_name # mdsstat Note: The user can also use the command # mdsstop_customer IP Redirect to the conf directory of the relevant CMA and remove applications.C* and CPMILinksMgr.* files : # mcd conf # mkdir backup # mv $FWDIR/conf/applications.C* $FWDIR/conf/backup/ # mv $FWDIR/conf/CPMILinksMgr.* $FWDIR/conf/backup/ Restart the CMA: # mdsstart_customer CMA_name Note: The user can also use the command # mdsstart_customer IP Check the MDG status for the relevant CMA. Wait for 1-2 minutes till the status is updated, and test the SmartDashboard launch from the MDG. Notes: applications.C and CPMILinksMgr.db will be created again (in $FWDIR/conf/) at CMA restart. Do not delete these files from the MDS itself. These files are not recreated at the MDS level (only on the CMA). The backup directory can be removed after the solution is verified. [[category:check point]] CMD (Chassis Monitor Daesmon) restart 0 168 477 465 2014-05-23T03:58:47Z Nighthawk 1 wikitext text/x-wiki == indentify SGM blade running the CMD == run "asg stat -i tasks" and note the SGM ID for the CH Monitor example: [Expert@my61k-ch01-01]# '''asg stat -i tasks''' Chassis ID: 1 ------------- Task (Task ID) SGM ID UIPC (5) 1(local) General (1) 2 LACP (2) 3 CH Monitor (3) 4 Chassis ID: 2 ------------- Task (Task ID) SGM ID SMO (0) 1 UIPC (5) 1 General (1) 2 LACP (2) 3 CH Monitor (3) 4 DR Manager (4) 5 change to the appropriate blade [Expert@my61k-ch01-01]# '''blade 1_4''' Moving to blade 1_4 This system is for authorized use only. Last login: Sat Apr 12 04:54:15 2014 from 192.0.2.1 restart cmd [Expert@my61k-ch01-04]# '''tellpm process:cmd''' [Expert@my61k-ch01-04]# '''tellpm process:cmd t''' checking the cmd process status / id [Expert@my61k-ch01-04]# '''ps -ef | grep cmd$''' nobody 19781 4339 0 03:45 ? 00:00:00 /opt/CPsuite-R75/fw1/bin/cmd [[category:61000]] 465 464 2014-05-19T18:47:45Z Nighthawk 1 /* indentify SGM blade running the CMD */ wikitext text/x-wiki == indentify SGM blade running the CMD == run "asg stat -i tasks" and note the SGM ID for the CH Monitor example: [Expert@my61k-ch01-01]# '''asg stat -i tasks''' Chassis ID: 1 ------------- Task (Task ID) SGM ID UIPC (5) 1(local) General (1) 2 LACP (2) 3 CH Monitor (3) 4 Chassis ID: 2 ------------- Task (Task ID) SGM ID SMO (0) 1 UIPC (5) 1 General (1) 2 LACP (2) 3 CH Monitor (3) 4 DR Manager (4) 5 change to the appropriate blade [Expert@my61k-ch01-01]# '''blade 1_4''' Moving to blade 1_4 This system is for authorized use only. Last login: Sat Apr 12 04:54:15 2014 from 192.0.2.1 restart cmd [Expert@my61k-ch01-04]# '''tellpm process:cmd''' [Expert@my61k-ch01-04]# '''tellpm process:cmd t''' [[category:61000]] 464 463 2014-05-19T18:47:06Z Nighthawk 1 wikitext text/x-wiki == indentify SGM blade running the CMD == run the following command and note the SGM ID for the CH Monitor [Expert@my61k-ch01-01]# '''asg stat -i tasks''' Chassis ID: 1 ------------- Task (Task ID) SGM ID UIPC (5) 1(local) General (1) 2 LACP (2) 3 CH Monitor (3) 4 Chassis ID: 2 ------------- Task (Task ID) SGM ID SMO (0) 1 UIPC (5) 1 General (1) 2 LACP (2) 3 CH Monitor (3) 4 DR Manager (4) 5 change to the appropriate blade [Expert@my61k-ch01-01]# '''blade 1_4''' Moving to blade 1_4 This system is for authorized use only. Last login: Sat Apr 12 04:54:15 2014 from 192.0.2.1 restart cmd [Expert@my61k-ch01-04]# '''tellpm process:cmd''' [Expert@my61k-ch01-04]# '''tellpm process:cmd t''' [[category:61000]] 463 2014-05-19T18:45:18Z Nighthawk 1 Created page with " == indentify SGM blade running the CMD == run the following command and note the SGM ID for the CH Monitor [Expert@my61k-ch01-01]# '''asg stat -i tasks''' Chassis ID:..." wikitext text/x-wiki == indentify SGM blade running the CMD == run the following command and note the SGM ID for the CH Monitor [Expert@my61k-ch01-01]# '''asg stat -i tasks''' Chassis ID: 1 ------------- Task (Task ID) SGM ID UIPC (5) 1(local) General (1) 2 LACP (2) 3 CH Monitor (3) 4 Chassis ID: 2 ------------- Task (Task ID) SGM ID SMO (0) 1 UIPC (5) 1 General (1) 2 LACP (2) 3 CH Monitor (3) 4 DR Manager (4) 5 change to the appropriate blade [Expert@my61k-ch01-01]# blade 1_4 Moving to blade 1_4 This system is for authorized use only. Last login: Sat Apr 12 04:54:15 2014 from 192.0.2.1 restart cmd [Expert@my61k-ch01-04]# '''tellpm process:cmd''' [Expert@my61k-ch01-04]# '''tellpm process:cmd t''' [[category:61000]] CMM Shelf Manager CLI Command Summary 0 149 418 2014-04-15T15:58:19Z Nighthawk 1 Created page with "<TABLE CLASS="Titled" SUMMARY="Table that is numbered and titled" BORDER="1" CELLPADDING="5" CELLSPACING="0" DIR="LTR"><CAPTION CLASS="TableCaptionA-Wide"> Shelf Manager CLI ..." wikitext text/x-wiki <TABLE CLASS="Titled" SUMMARY="Table that is numbered and titled" BORDER="1" CELLPADDING="5" CELLSPACING="0" DIR="LTR"><CAPTION CLASS="TableCaptionA-Wide"> Shelf Manager CLI Command Summary </CAPTION> <TR> <TH SCOPE="COL" ROWSPAN="1" COLSPAN="1" BGCOLOR="#CCCCCC"> Command </TH> <TH SCOPE="COL" ROWSPAN="1" COLSPAN="1" BGCOLOR="#CCCCCC"> Parameters </TH> <TH SCOPE="COL" ROWSPAN="1" COLSPAN="1" BGCOLOR="#CCCCCC"> Description </TH> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">activate</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address FRU device ID </TD> <TD ROWSPAN="1" COLSPAN="1"> Activates the specified FRU. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">alarm</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> alarm type </TD> <TD ROWSPAN="1" COLSPAN="1"> Activates or clears Telco alarms. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">board -v</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> slot number (optional) </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows information about blade servers. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">boardreset</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> slot number </TD> <TD ROWSPAN="1" COLSPAN="1"> Resets the specified ATCA blade server. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">console</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> slot number </TD> <TD ROWSPAN="1" COLSPAN="1"> Opens a console session on the node blade server in the specified slot. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">deactivate</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address FRU device ID </TD> <TD ROWSPAN="1" COLSPAN="1"> Deactivates the specified FRU. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">exit</KBD>|<KBD CLASS="Command">quit</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1">   </TD> <TD ROWSPAN="1" COLSPAN="1"> Exits from the interpreter in interactive mode. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">fans</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address (optional) FRU device ID (optional) </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows information about fans. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">fru</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address (optional) FRU device ID (optional) FRU type (optional) </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows information about one or a group of FRUs in the shelf; FRUs are selected by type or by the parent IPM controller. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">frudata</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address (optional) FRU device ID (optional) block/byte offset (optional) data (optional) </TD> <TD ROWSPAN="1" COLSPAN="1"> Provides raw access to the FRU. Information on the specified FRU. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">frudatar</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address FRU device ID File name </TD> <TD ROWSPAN="1" COLSPAN="1"> Reads the FRU data area of the specified FRU and stores the data in the specified file. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">frudataw</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address FRU device ID File name </TD> <TD ROWSPAN="1" COLSPAN="1"> Writes the FRU data in the specified file into the FRU data area of the specified FRU. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">fruinfo -v</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address FRU device ID </TD> <TD ROWSPAN="1" COLSPAN="1"> Provides user-friendly FRU Information output. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">getthreshold</KBD> | <KBD CLASS="Command">threshold</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address (optional) sensor name (optional) sensor number (optional) </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows threshold information about a specific sensor. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">help</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1">   </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows the list of supported commands. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">ipmc</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address (optional) </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows information about one or all IPM controllers in the shelf. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">minfanlevel</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> fan level (optional) </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows or sets the minimum fan level. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">ps -ef |grep hp</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1">   </TD> <TD ROWSPAN="1" COLSPAN="1"> Checks the <KBD CLASS="Command">openhpi</KBD> status. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">sensor</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address (optional) sensor name (optional) sensor number (optional) </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows information about one or a group of sensors; sensors are selected by IPM controller address, number or name. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">sensordata</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address (optional) sensor name (optional) sensor number (optional) </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows value information for a specific sensor. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">sensorread</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address sensor number </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows raw value information for a specific sensor (ignoring any Sensor Data Record describing the sensor). </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">setfanlevel</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address FRU device ID level </TD> <TD ROWSPAN="1" COLSPAN="1"> Sets a new level for the fan controlled by the specified FRU. Use <KBD CLASS="Command">clia setfanlevel 20 3 5</KBD> to get the fans to slow down. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">setfanpolicy</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address FRU device ID action to be taken: <KBD CLASS="Command">ENABLE</KBD> or <KBD CLASS="Command">DISABLE</KBD> timeout (optional) site type (optional) site number (optional) </TD> <TD ROWSPAN="1" COLSPAN="1"> Enables or disables fan trays for cooling management in addition to the Fan Geography record if this one is presented in the Shelf FRU. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">setthreshold</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> IPMB address sensor name sensor number threshold type threshold value </TD> <TD ROWSPAN="1" COLSPAN="1"> Changes a specific threshold value (upper/lower, critical/non-critical/non-recoverable) for a specific sensor. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">setuserlabel</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> shelf name slot number name </TD> <TD ROWSPAN="1" COLSPAN="1"> Configures user assigned names for the shelf and the blade servers. Blade server names are assigned to slot numbers. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">shelf</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> subcommand, with its parameters </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows general information about the shelf; several subcommands allow setting shelf attributes and getting additional information about specific areas. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">shelfaddress</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> Shelf Address string (optional) </TD> <TD ROWSPAN="1" COLSPAN="1"> Gets or sets the Shelf Address field of the Address Table within Shelf FRU Information. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> shelf address_table </TD> <TD ROWSPAN="1" COLSPAN="1">   </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows the address table record in the shelf FRU info with shelf address and list of address table entries. For each entry, shows hardware address, site type, and site number. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> shelf cooling_state </TD> <TD ROWSPAN="1" COLSPAN="1">   </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows the current cooling state of the shelf with normal, minor, major, and critical alert information. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> shelf fans_state </TD> <TD ROWSPAN="1" COLSPAN="1">   </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows the current state of the fan techometers in the shelf with normal, minor, major and critical alert information. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">shmstatus</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1">   </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows the Shelf Manager Active/Backup status. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">showhost</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1"> slot-number </TD> <TD ROWSPAN="1" COLSPAN="1"> Displays version information about the firmware on certain Netra CP3x60 node blade servers. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">showunhealthy</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1">   </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows the unhealthy components of the shelf. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">switchover</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1">   </TD> <TD ROWSPAN="1" COLSPAN="1"> Initiates a switchover to the backup Shelf Manager. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">terminate</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1">   </TD> <TD ROWSPAN="1" COLSPAN="1"> Terminates the Shelf Manager without rebooting the shelf management card. </TD> </TR> <TR> <TD SCOPE="ROW" ROWSPAN="1" COLSPAN="1"> <KBD CLASS="Command">version</KBD> </TD> <TD ROWSPAN="1" COLSPAN="1">   </TD> <TD ROWSPAN="1" COLSPAN="1"> Shows the Shelf Manager version information. </TD> </TR> </TABLE> Changing the Mgmt HA status of SmartCenter / CMA from command line 0 13 473 472 2014-05-20T15:34:17Z Nighthawk 1 wikitext text/x-wiki Changing the HA status of the Management station from command line (CLI) Solution ID: sk34495 Product: SmartCenter, Multi-Domain Management / Provider-1, SecurePlatform Version: NGX R65, R70, R71, R75, R77 Date Created: 27-Feb-2008 Last Modified: 13-Dec-2011 == Solution == Run the cpstop command. To find out the current status, run: # cpprod_util FwIsActiveManagement where... 0 - means Standby 1 - means Active To set the Management station to Standby status, run: # cpprod_util FwSetActiveManagement 0 To set the Management station to Active status, run: # cpprod_util FwSetActiveManagement 1 [[category:provider-1]] [[category:smartcenter]] 472 470 2014-05-20T15:33:57Z Nighthawk 1 wikitext text/x-wiki Changing the HA status of the Management station from command line (CLI) Solution ID: sk34495 Product: SmartCenter, Multi-Domain Management / Provider-1, SecurePlatform Version: NGX R65, R70, R71, R75, R77 Date Created: 27-Feb-2008 Last Modified: 13-Dec-2011 == Solution == Run the cpstop command. To find out the current status, run: # cpprod_util FwIsActiveManagement where... 0 - means Standby 1 - means Active To set the Management station to Standby status, run: # cpprod_util FwSetActiveManagement 0 To set the Management station to Active status, run: # cpprod_util FwSetActiveManagement 1 [[category:check point]] 470 469 2014-05-20T15:33:20Z Nighthawk 1 moved [[Changing the HA status of the Management station from command line]] to [[Changing the Mgmt HA status of SmartCenter / CMA from command line]] wikitext text/x-wiki Changing the HA status of the Management station from command line Solution ID: sk34495 Product: SmartCenter, Multi-Domain Management / Provider-1, SecurePlatform Version: NGX R65, R70, R71, R75 Date Created: 27-Feb-2008 Last Modified: 13-Dec-2011 == Solution == Run the cpstop command. To find out the current status, run: # cpprod_util FwIsActiveManagement where... 0 - means Standby 1 - means Active To set the Management station to Standby status, run: # cpprod_util FwSetActiveManagement 0 To set the Management station to Active status, run: # cpprod_util FwSetActiveManagement 1 [[category:check point]] 469 14 2014-05-20T15:16:42Z Nighthawk 1 wikitext text/x-wiki Changing the HA status of the Management station from command line Solution ID: sk34495 Product: SmartCenter, Multi-Domain Management / Provider-1, SecurePlatform Version: NGX R65, R70, R71, R75 Date Created: 27-Feb-2008 Last Modified: 13-Dec-2011 == Solution == Run the cpstop command. To find out the current status, run: # cpprod_util FwIsActiveManagement where... 0 - means Standby 1 - means Active To set the Management station to Standby status, run: # cpprod_util FwSetActiveManagement 0 To set the Management station to Active status, run: # cpprod_util FwSetActiveManagement 1 [[category:check point]] 14 2013-02-25T22:40:12Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki Changing the HA status of the Management station from command line Solution ID: sk34495 Product: Security Gateway, Multi-Domain Management / Provider-1, SecurePlatform Version: NGX R65, R70, R71, R75 Date Created: 27-Feb-2008 Last Modified: 13-Dec-2011 Did this solution solve your problem? [Click on the stars to rate] == Solution == Run the cpstop command. To find out the current status, run: # cpprod_util FwIsActiveManagement where... 0 - means Standby 1 - means Active To set the Management station to Standby status, run: # cpprod_util FwSetActiveManagement 0 To set the Management station to Active status, run: # cpprod_util FwSetActiveManagement 1 [[category:check point]] Check CMA active / standby status from command line / CLI 0 9 10 2013-02-25T22:11:18Z Nighthawk 1 Created page with "cpmistat -o schema -r mg <cma_name> | grep mgActiveStatus [[category:mgmtha]]" wikitext text/x-wiki cpmistat -o schema -r mg <cma_name> | grep mgActiveStatus [[category:mgmtha]] Check Point RMA return status check 0 128 316 2013-11-19T16:54:34Z Nighthawk 1 Created page with " send email to: rma_return@checkpoint.com include: SR # AND Replacement MAC address or serial number or STN [[category:support]]" wikitext text/x-wiki send email to: rma_return@checkpoint.com include: SR # AND Replacement MAC address or serial number or STN [[category:support]] Check Point man pages (R75): fw log 0 63 90 89 2013-05-09T16:15:58Z Nighthawk 1 wikitext text/x-wiki '''fw log''' '''Description''' fw log displays the content of Log files. '''Usage''' fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert_name|all)] [-g] [logfile] '''Syntax''' {| cellspacing="5" border="1" ! align="left" |Argument ! Description |- | -f [-t] |After reaching the end of the currently displayed file, do not exit (the default behavior), but continue to monitor the Log file indefinitely and display it while it is being written. The -t parameter indicates that the display is to begin at the end of the file, in other words, the display will initially be empty and only new records added later will be displayed. -t must come with a -f flag. These flags are relevant only for active files. |- | -n | Do not perform DNS resolution of the IP addresses in the Log file (the default behavior). This option significantly speeds up the processing. |- | -l | Display both the date and the time for each log record (the default is to show the date only once above the relevant records, and then specify the time per log record). |- | -o | Show detailed log chains (all the log segments a log record consists of). |- | -c action | Display only events whose action is action, that is, accept, drop, reject, authorize, deauthorize, encrypt and decrypt. Control actions are always displayed. |- | -h host | Display only log whose origin is the specified IP address or name. |- | -s starttime | Display only events that were logged after the specified time (see format below). starttime may be a date, a time, or both. If date is omitted, then today's date is assumed. |- | -e endtime | Display only events that were logged before the specified time (see format below). endtime may be a date, a time, or both. |- | -b starttime endtime | Display only events that were logged between the specified start and end times (see format below), each of which may be a date, a time, or both. If date is omitted, then today's date is assumed. The start and end times are expected after the flag. |- | -u Unification scheme file name. | unification_scheme_file |- | -m unification_mode | This flag specifies the unification mode.  initial - the default mode, specifying complete unification of log records; that is, output one unified record for each id. This is the default. When used together with -f, no updates will be displayed, but only entries relating to the start of new connections. To display updates, use the semi parameter.  semi - step-by-step unification, that is, for each log record, output a record that unifies this record with all previously-encountered records with the same id.  raw - output all records, with no unification. |- | -a | Output account log records only. |- | -k alert_name |Display only events that match a specific alert type. The default is all, for any alert type. |- | -g | Do not use a delimited style. The default is:  : after field name  ; after field value |- | logfile | se logfile instead of the default Log file. The default Log File is $FWDIR/log/fw.log. |} Where the full date and time format is: MMM DD, YYYY HH:MM:SS. For example: May 26, 1999 14:20:00 It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format: HH:MM:SS, where time only is specified, the current date is assumed. '''Example''' fw log fw log | more fw log -c reject fw log -s "May 26, 1999" fw log -f -s 16:00:00 '''Output''' [<date>] <time> <action> <origin> <interface dir and name> [alert] [field name: field value;] ... Each output line consists of a single log record, whose fields appear in the format shown above. '''Example''' 14:56:39 reject jam.checkpoint.com >daemon alert src: veredr.checkpoint.com; dst: jam.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Access denied - wrong user name or password ; scheme: IKE; reject_category: Authentication error; product: Security Gateway 14:57:49 authcrypt jam.checkpoint.com >daemon src: veredr.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Authenticated by Internal Password; scheme: IKE; methods: AES- 256,IKE,SHA1; product: Security Gateway; 14:57:49 keyinst jam.checkpoint.com >daemon src: veredr.checkpoint.com; peer gateway: veredr.checkpoint.com; scheme: IKE; IKE: Main Mode completion.; CookieI: 32f09ca38aeaf4a3; CookieR: 73b91d59b378958c; msgid: 47ad4a8d; methods: AES-256 + SHA1, Internal Password; user: a; product: Security Gateway; [[category: man pages R75]] 89 88 2013-05-09T16:15:43Z Nighthawk 1 wikitext text/x-wiki '''fw log''' '''Description''' fw log displays the content of Log files. '''Usage''' fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert_name|all)] [-g] [logfile] '''Syntax''' {| cellspacing="5" border="1" ! valign="top"|Argument ! Description |- | -f [-t] |After reaching the end of the currently displayed file, do not exit (the default behavior), but continue to monitor the Log file indefinitely and display it while it is being written. The -t parameter indicates that the display is to begin at the end of the file, in other words, the display will initially be empty and only new records added later will be displayed. -t must come with a -f flag. These flags are relevant only for active files. |- | -n | Do not perform DNS resolution of the IP addresses in the Log file (the default behavior). This option significantly speeds up the processing. |- | -l | Display both the date and the time for each log record (the default is to show the date only once above the relevant records, and then specify the time per log record). |- | -o | Show detailed log chains (all the log segments a log record consists of). |- | -c action | Display only events whose action is action, that is, accept, drop, reject, authorize, deauthorize, encrypt and decrypt. Control actions are always displayed. |- | -h host | Display only log whose origin is the specified IP address or name. |- | -s starttime | Display only events that were logged after the specified time (see format below). starttime may be a date, a time, or both. If date is omitted, then today's date is assumed. |- | -e endtime | Display only events that were logged before the specified time (see format below). endtime may be a date, a time, or both. |- | -b starttime endtime | Display only events that were logged between the specified start and end times (see format below), each of which may be a date, a time, or both. If date is omitted, then today's date is assumed. The start and end times are expected after the flag. |- | -u Unification scheme file name. | unification_scheme_file |- | -m unification_mode | This flag specifies the unification mode.  initial - the default mode, specifying complete unification of log records; that is, output one unified record for each id. This is the default. When used together with -f, no updates will be displayed, but only entries relating to the start of new connections. To display updates, use the semi parameter.  semi - step-by-step unification, that is, for each log record, output a record that unifies this record with all previously-encountered records with the same id.  raw - output all records, with no unification. |- | -a | Output account log records only. |- | -k alert_name |Display only events that match a specific alert type. The default is all, for any alert type. |- | -g | Do not use a delimited style. The default is:  : after field name  ; after field value |- | logfile | se logfile instead of the default Log file. The default Log File is $FWDIR/log/fw.log. |} Where the full date and time format is: MMM DD, YYYY HH:MM:SS. For example: May 26, 1999 14:20:00 It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format: HH:MM:SS, where time only is specified, the current date is assumed. '''Example''' fw log fw log | more fw log -c reject fw log -s "May 26, 1999" fw log -f -s 16:00:00 '''Output''' [<date>] <time> <action> <origin> <interface dir and name> [alert] [field name: field value;] ... Each output line consists of a single log record, whose fields appear in the format shown above. '''Example''' 14:56:39 reject jam.checkpoint.com >daemon alert src: veredr.checkpoint.com; dst: jam.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Access denied - wrong user name or password ; scheme: IKE; reject_category: Authentication error; product: Security Gateway 14:57:49 authcrypt jam.checkpoint.com >daemon src: veredr.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Authenticated by Internal Password; scheme: IKE; methods: AES- 256,IKE,SHA1; product: Security Gateway; 14:57:49 keyinst jam.checkpoint.com >daemon src: veredr.checkpoint.com; peer gateway: veredr.checkpoint.com; scheme: IKE; IKE: Main Mode completion.; CookieI: 32f09ca38aeaf4a3; CookieR: 73b91d59b378958c; msgid: 47ad4a8d; methods: AES-256 + SHA1, Internal Password; user: a; product: Security Gateway; [[category: man pages R75]] 88 87 2013-05-09T16:14:49Z Nighthawk 1 wikitext text/x-wiki '''fw log''' '''Description''' fw log displays the content of Log files. '''Usage''' fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert_name|all)] [-g] [logfile] '''Syntax''' {| cellspacing="5" border="1" ! align="left" valign="top"|Argument ! Description |- | -f [-t] |After reaching the end of the currently displayed file, do not exit (the default behavior), but continue to monitor the Log file indefinitely and display it while it is being written. The -t parameter indicates that the display is to begin at the end of the file, in other words, the display will initially be empty and only new records added later will be displayed. -t must come with a -f flag. These flags are relevant only for active files. |- | -n | Do not perform DNS resolution of the IP addresses in the Log file (the default behavior). This option significantly speeds up the processing. |- | -l | Display both the date and the time for each log record (the default is to show the date only once above the relevant records, and then specify the time per log record). |- | -o | Show detailed log chains (all the log segments a log record consists of). |- | -c action | Display only events whose action is action, that is, accept, drop, reject, authorize, deauthorize, encrypt and decrypt. Control actions are always displayed. |- | -h host | Display only log whose origin is the specified IP address or name. |- | -s starttime | Display only events that were logged after the specified time (see format below). starttime may be a date, a time, or both. If date is omitted, then today's date is assumed. |- | -e endtime | Display only events that were logged before the specified time (see format below). endtime may be a date, a time, or both. |- | -b starttime endtime | Display only events that were logged between the specified start and end times (see format below), each of which may be a date, a time, or both. If date is omitted, then today's date is assumed. The start and end times are expected after the flag. |- | -u Unification scheme file name. | unification_scheme_file |- | -m unification_mode | This flag specifies the unification mode.  initial - the default mode, specifying complete unification of log records; that is, output one unified record for each id. This is the default. When used together with -f, no updates will be displayed, but only entries relating to the start of new connections. To display updates, use the semi parameter.  semi - step-by-step unification, that is, for each log record, output a record that unifies this record with all previously-encountered records with the same id.  raw - output all records, with no unification. |- | -a | Output account log records only. |- | -k alert_name |Display only events that match a specific alert type. The default is all, for any alert type. |- | -g | Do not use a delimited style. The default is:  : after field name  ; after field value |- | logfile | se logfile instead of the default Log file. The default Log File is $FWDIR/log/fw.log. |} Where the full date and time format is: MMM DD, YYYY HH:MM:SS. For example: May 26, 1999 14:20:00 It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format: HH:MM:SS, where time only is specified, the current date is assumed. '''Example''' fw log fw log | more fw log -c reject fw log -s "May 26, 1999" fw log -f -s 16:00:00 '''Output''' [<date>] <time> <action> <origin> <interface dir and name> [alert] [field name: field value;] ... Each output line consists of a single log record, whose fields appear in the format shown above. '''Example''' 14:56:39 reject jam.checkpoint.com >daemon alert src: veredr.checkpoint.com; dst: jam.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Access denied - wrong user name or password ; scheme: IKE; reject_category: Authentication error; product: Security Gateway 14:57:49 authcrypt jam.checkpoint.com >daemon src: veredr.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Authenticated by Internal Password; scheme: IKE; methods: AES- 256,IKE,SHA1; product: Security Gateway; 14:57:49 keyinst jam.checkpoint.com >daemon src: veredr.checkpoint.com; peer gateway: veredr.checkpoint.com; scheme: IKE; IKE: Main Mode completion.; CookieI: 32f09ca38aeaf4a3; CookieR: 73b91d59b378958c; msgid: 47ad4a8d; methods: AES-256 + SHA1, Internal Password; user: a; product: Security Gateway; [[category: man pages R75]] 87 2013-05-09T16:13:16Z Nighthawk 1 Created page with "'''fw log''' '''Description''' fw log displays the content of Log files. '''Usage''' fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b st..." wikitext text/x-wiki '''fw log''' '''Description''' fw log displays the content of Log files. '''Usage''' fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert_name|all)] [-g] [logfile] '''Syntax''' {| cellspacing="5" border="1" ! align="left"|Argument ! Description |- | -f [-t] |After reaching the end of the currently displayed file, do not exit (the default behavior), but continue to monitor the Log file indefinitely and display it while it is being written. The -t parameter indicates that the display is to begin at the end of the file, in other words, the display will initially be empty and only new records added later will be displayed. -t must come with a -f flag. These flags are relevant only for active files. |- | -n | Do not perform DNS resolution of the IP addresses in the Log file (the default behavior). This option significantly speeds up the processing. |- | -l | Display both the date and the time for each log record (the default is to show the date only once above the relevant records, and then specify the time per log record). |- | -o | Show detailed log chains (all the log segments a log record consists of). |- | -c action | Display only events whose action is action, that is, accept, drop, reject, authorize, deauthorize, encrypt and decrypt. Control actions are always displayed. |- | -h host | Display only log whose origin is the specified IP address or name. |- | -s starttime | Display only events that were logged after the specified time (see format below). starttime may be a date, a time, or both. If date is omitted, then today's date is assumed. |- | -e endtime | Display only events that were logged before the specified time (see format below). endtime may be a date, a time, or both. |- | -b starttime endtime | Display only events that were logged between the specified start and end times (see format below), each of which may be a date, a time, or both. If date is omitted, then today's date is assumed. The start and end times are expected after the flag. |- | -u Unification scheme file name. | unification_scheme_file |- | -m unification_mode | This flag specifies the unification mode.  initial - the default mode, specifying complete unification of log records; that is, output one unified record for each id. This is the default. When used together with -f, no updates will be displayed, but only entries relating to the start of new connections. To display updates, use the semi parameter.  semi - step-by-step unification, that is, for each log record, output a record that unifies this record with all previously-encountered records with the same id.  raw - output all records, with no unification. |- | -a | Output account log records only. |- | -k alert_name |Display only events that match a specific alert type. The default is all, for any alert type. |- | -g | Do not use a delimited style. The default is:  : after field name  ; after field value |- | logfile | se logfile instead of the default Log file. The default Log File is $FWDIR/log/fw.log. |} Where the full date and time format is: MMM DD, YYYY HH:MM:SS. For example: May 26, 1999 14:20:00 It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format: HH:MM:SS, where time only is specified, the current date is assumed. '''Example''' fw log fw log | more fw log -c reject fw log -s "May 26, 1999" fw log -f -s 16:00:00 '''Output''' [<date>] <time> <action> <origin> <interface dir and name> [alert] [field name: field value;] ... Each output line consists of a single log record, whose fields appear in the format shown above. '''Example''' 14:56:39 reject jam.checkpoint.com >daemon alert src: veredr.checkpoint.com; dst: jam.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Access denied - wrong user name or password ; scheme: IKE; reject_category: Authentication error; product: Security Gateway 14:57:49 authcrypt jam.checkpoint.com >daemon src: veredr.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Authenticated by Internal Password; scheme: IKE; methods: AES- 256,IKE,SHA1; product: Security Gateway; 14:57:49 keyinst jam.checkpoint.com >daemon src: veredr.checkpoint.com; peer gateway: veredr.checkpoint.com; scheme: IKE; IKE: Main Mode completion.; CookieI: 32f09ca38aeaf4a3; CookieR: 73b91d59b378958c; msgid: 47ad4a8d; methods: AES-256 + SHA1, Internal Password; user: a; product: Security Gateway; [[category: man pages R75]] Check Point rma shipping address 0 33 38 37 2013-02-27T20:01:28Z Nighthawk 1 moved [[Check point rma]] to [[Check Point rma shipping address]] wikitext text/x-wiki return shipping link http://www.checkpoint.com/services/techsupport/programs/rma-return-process.html [[category:check point]] 37 2013-02-27T20:00:40Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki return shipping link http://www.checkpoint.com/services/techsupport/programs/rma-return-process.html [[category:check point]] Check point automatic rule creation notes 0 18 22 2013-02-26T00:02:47Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki query user for group names to put objects in input change ticket numbers into dbedit command using -r switch create dbversion after changes are saved using dbver == checking for existing objects == cpmiquerybin attr "" network_objects "ipaddr='95.140.96.0'<del>,netmask='255.255.240.0'</del>" -a __name__ <<< '''can't submit 2 queries?''' cpmiquerybin attr "" network_objects "ipaddr='$ipaddr'" -a __name__ <<< '''could return multiple matches!!!''' [[category:work]] Check point cma startup problem 0 20 24 2013-02-26T00:15:53Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == problem description == attempts to start CMA fail as in the following: [Expert@mds1]# '''mdscmd startcma cusotmer_name -i 192.168.1.100''' Failed to start CMA my_customer_name: While attempting to initialize, the CMA reached a timeout. Wait a few minutes before working with the CMA. mdsstat for CMA after attemped start. ^ CMA ^customer_name ^ 192.168.1.100 ^ down ^ down ^ down ^ down ^ == solution == This is happening due to the registry file (HKLM_registry.data) getting corrupted. If there is a backup, please replace this file withi the CMA environment ($CPDIR/registry) #cd /var/backup #identify a backup with the appropriate date #move or copy it to a tmp dir #unzip it and untar it #you will then have more tgz files #unpack mds_backup_var_opt.tgz #replace the cma registiry file with the one from the backup [[category:check point]] Check point firewall command reference 0 95 155 2013-06-21T15:44:23Z Nighthawk 1 moved [[Check point firewall command reference]] to [[fw log command line example]] wikitext text/x-wiki #REDIRECT [[fw log command line example]] Check point kernel module version 0 22 26 2013-02-26T00:21:50Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki cpvinfo <path_to_fwmod.o> cpvinfo $FWDIR/boot/modules/fwmod.o cpvinfo $FWDIR/boot/modules/fwmod.o | grep -E "Build|Release" [[category:check point]] Check point license repository 0 19 792 23 2018-06-23T12:08:22Z Nighthawk 1 wikitext text/x-wiki '''Problem description:''' A firewall was deleted without detaching a central license. The firewall object was recreated with a new name. Attempts to attach a license with smart update failed with an error to the effect that no unattached licenses were available. I obtained the certificate key from the firewall database. A search was performed on the check point user center with the key. It was downloaded into a file and an attempt to add it to the repository failed with a message that it already existed. version: r75 or r77 (don't remember) '''Solution:''' 1) connect to the provider-1 MDS and stop the cma vi '''mdscmd stopcma ''customer_name'' -i ''cma_ip''''' 2) '''mdsenv ''cma_ip''''' 3) '''mcd conf''' 4) '''cp licenses.c licenses.c.bak''' 5) vi licenses.c and manually delete the problem license(you have to figure out what lines the definition of the license object start and end at) 6) vi smart update GUI ...re-add the license back to the repository and 7) attach the license to the firewall [[category:check point]] a2daf607e4127ffa585e5505ef2aba3b612aa016 23 2013-02-26T00:13:03Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki '''Problem description:''' A firewall was deleted without detaching a central license. The firewall object was recreated with a new name. Attempts to attach a license with smart update failed with an error to the effect that no unattached licenses were available. I obtained the certificate key from the firewall database. A search was performed on the check point user center with the key. It was downloaded into a file and an attempt to add it to the repository failed with a message that it already existed. '''Solution:''' 1) connect to the provider-1 MDS and stop the cma vi '''mdscmd stopcma ''customer_name'' -i ''cma_ip''''' 2) '''mdsenv ''cma_ip''''' 3) '''mcd conf''' 4) '''cp licenses.c licenses.c.bak''' 5) vi licenses.c and manually delete the problem license(you have to figure out what lines the definition of the license object start and end at) 6) vi smart update GUI ...re-add the license back to the repository and 7) attach the license to the firewall [[category:check point]] Check point product installation info 0 32 36 2013-02-27T20:00:01Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki How to tell what products are installed on your Check Point server SOLUTION Run the command: cpprod_util CPPROD_GetKeyValues Products 0 [[category:check point]] Check point service ports 0 25 719 29 2018-03-16T15:15:00Z Nighthawk 1 wikitext text/x-wiki [[File:cpportsr77.png]] 256 /tcp FW1 Check Point VPN-1 & FireWall-1 Service - Download of rulebase from management server to gateway (4.x) - Fetching rulebase from gateway to management server when starting (4.x) - Get topology information from management server or Customer Management Add-on (CMA) to gateway - Full synchronization for HA configuration 257 /tcp FW1_log Check Point Logs - Protocol used for delivering logs from gateway to management server - Protocol used for delivering logs from gateway to CMA or Customer Log Module 258 /tcp FW1_mgmt Check Point VPN-1 & FireWall-1 Management (Version 4.x, obsolete) - Protocol for communInternal Certificate Authority between SmartConsole applInternal Certificate Authority's and the management server 259 /tcp FW1_clntauth, FW1_clntauth_telnet Check Point VPN-1 & FireWall-1 Client AuthentInternal Certificate Authority (Telnet) - Protocol for performing Client-AuthentInternal Certificate Authority at gateway using telnet 259 /udp RDP Check Point VPN-1 FWZ Key Negotiations - Reliable Datagram Protocol - Protocol used for FWZ VPN (supported up to NG FP1 only) - Protocol used by SecuRemote/SCl for checking the availability of the gateway/PS 260 /udp FW1_snmp Check Point SNMP Agent - Check Point's SNMP, used additionally to 161/udp (snmp) 261 /tcp FW1_snauth Check Point Session AuthentInternal Certificate Authority - Protocol for Session AuthentInternal Certificate Authority between gateway and SAA 262 /tcp - not predefined - only internally used by Mail Dequerer (process: mdq) 264 /tcp FW1_topo Check Point VPN-1 SecuRemote Topology Requests - Topology Download for SecuRemote (build 4100 and higher) and SCl 265 /tcp FW1_key Check Point VPN-1 Public Key Transfer Protocol - Protocol for exchanging CA- and DH-keys between management servers (SKIP, FWZ (4.x)) - Public Key download for SecuRemote/SecureClient 900 /tcp FW1_clntauth, FW1_clntauth_http Check Point Client AuthentICA (HTTP) - Protocol for performing Client-AuthentICA at gateway using HTTP 981 /tcp - not predefined - Check Point UTM-1 Edge remote administration from external using HTTPS 2746 /udp VPN1_IPSEC_encapsulation SecuRemote IPSEC Transport Encapsulation Protocol - Default-Protocol used for UDP encapsulation 4532 / tcp - not predefined - only internally used by Session AuthentICA (in.asessiond) 5004 /udp MetaIP-UAT Check Point Meta IP UAM Client-Server Comanagement serverunInternal Certificate Authority 8116 /udp - not predefined - Check Point Cluster Control Protocol - Protocol for communICA between High Availability Cluster Members. Used for e.g. report/query state, probing, load balancing 8989 /tcp - not predefined - only internally used by Customer Management Add-on for Session Authentication 9281 /udp SWTP_Gateway VPN-1 Embedded / SofaWare Management Server (SMS) - Encrypted Protocol for comanagement serverunICA between management server and Check Point Appliance (e.g. VPN-1 Edge) 9282 /udp SWTP_SMS VPN-1 Embedded / SofaWare Management Server (SMS) - Encrypted Protocol for comanagement serverunICA between management server and Check Point Appliance (e.g. VPN-1 Edge) 18181 /tcp FW1_cvp Check Point OPSEC Content Vectoring Protocol - Protocol used for comanagement serverunICA between gateway and AntiVirus Server 18182 /tcp FW1_ufp Check Point OPSEC URL Filtering Protocol - Protocol used for comanagement serverunICA between gateway and Server for Content Control (e.g. Web Content) 18183 /tcp FW1_sam Check Point OPSEC Suspicious Activity Monitor API - Protocol e.g. for Block Intruder between management server (or CMA) and gateway 18184 /tcp FW1_lea Check Point OPSEC Log Export API - Protocol for exporting logs from management server 18185 /tcp FW1_omi Check Point OPSEC Objects Management Interface - Protocol used by applICA's having access to the ruleset saved at management server 18186 /tcp FW1_omi-sic Check Point OPSEC Objects Management Interface with Secure Internal Communication (SIC) - Protocol used by applICA's having access to the ruleset saved at management server 18187 /tcp FW1_ela Check Point OPSEC Event Logging API - Protocol for applICA's logging to the gateway log at management server 18190 /tcp CPMI Check Point Management Interface - Protocol used for communicatopn ICA between the SmartConsole and the SmartCenter/SecurityManagement Server. - Protocol for connections from Multi-Domain GUI to MDS and CMA 18191 /tcp CPD Check Point Daemon Protocol - Download of rulebase from management server to gateway - Fetching rulebase, from gateway to management server when starting gateway - Download of rulebase from CMA/MDS to gateway - Fetching rulebase, from gateway to CMA when starting gateway 18192 /tcp CPD_amon Check Point Internal ApplCA Monitoring - Protocol for getting System Status, from management server or CMA/MDS to gateway 18193 /tcp FW1_amon Check Point OPSEC ApplInternal Certificate Authority Monitoring - Protocol for monitoring apps, e.g. from management server to CVP server 18202 /tcp CP_rtm Check Point RTM Log - Protocol used by Real Time Monitor (SmartView Monitor) 18205 /tcp CP_reporting Check Point Reporting client - Protocol used by Reporting client when connecting to Reporting Server (management server) 18207 /tcp FW1_pslogon Check Point Policy Server Logon protocol - Protocol used for download of Desktop Security from the Policy Server to SecureClient (4.x) 18208 /tcp FW1_CPRID Check Point Remote Installation Protocol - Protocol used from management server to gateway when installing Secure Updates. 18209 /tcp - not predefined - Protocol used in SIC for communication between the management server, containing the Internal Certificate Authority (ICA) and objects, such as gateways and OPSEC applications, managed by the management sever 18210 /tcp FW1_Internal Certificate Authority_pull Check Point ICA Pull - Protocol used by SIC for e.g. gateway pulling certificates from a management server 18211 /tcp FW1_Internal Certificate Authority_push Used to push certificates from the ICA. - Protocol used by SIC for pushing CA's from management server or CMA/MDS to gateway 18212 /udp FW1_load_agent Check Point ConnectControl Load Agent - Default-Port for Load Agent running on load-balanced Servers (e.g. WWW, FTP) 18221 /tcp CP_redundant Check Point Redundant Management Protocol - Protocol used for synchronizing primary and secondary management server - Protocol used for synchronizing CMA between primary and secondary MDS 18231 /tcp FW1_pslogon_NG Check Point NG Policy Server Logon protocol (NG) - Protocol used for download of Desktop Security from the Policy Server to SecureClient 18232 /tcp FW1_sds_logon Check Point SecuRemote Distribution Server Protocol - Protocol for software distribution of Check Point components 18233 /udp FW1_scv_keep_alive Check Point SecureClient VerifICA KeepAlive Protocol - Protocol for Secure Configuration VerifICA on SecureClient 18234 /udp tunnel_test Check Point tunnel testing ICA - Protocol for testing ICA through VPN, used by SecuRemote/SecureClient 18241 /udp E2ECP Check Point End to End Control Protocol - Protocol to check SLA's defined in Virtual Links by SmartView Monitor 18262 /tcp CP_Exnet_PK Check Point Extrnet public key advertisement - Protocol for exchange of public keys when configuring Extranet not supported since NG AI R55 18263 /tcp CP_Exnet_resolve Check Point Extranet remote objects resolution - Protocol for importing exported objects from partner in Extranet not supported since NG AI R55 18264 /tcp FW1_Internal Certificate Authority_services Check Point ICA Fetch CRL and User Registration Services - Protocol for Certificate Revocation Lists and registering users when using the Policy Server - needed when e.g. gateway is starting 18265 /tcp FW1_Internal Certificate Authority_mgmt_tools Check Point ICA Management Tools - Protocol for managing the ICA, also used for central administration of Internal Certificate Authority on the management server. - needs to be started separately with the comanagement server and cpca_client 19190 /tcp FW1_netso Check Point User Authority simple protocol - Protocol used for UserAuthority for connecting from the UserAuthority Server to the Web Plugin when authenticating using certificates generated by the ICA 19191 /tcp FW1_uaa Check Point OPSEC User Authority API - Protocol for connections to the UserAuthority Server 19194 /udp CP_SecureAgent-udp SecureAgent Authentication ICA service 19195 /udp CP_SecureAgent-udp SecureAgent Authentication tICA service 60709 /tcp - not predefined - Internally used by SecurePlatform for web based system administration (process: cpwmd). Bound to localhost, so no remote connect is possible. 65524 /tcp FW1_sds_logon_NG Check Point SecuRemote Distribution Server Protocol - Protocol for software distribution of Check Point components in Next Generation Additionally defined: Internet Protocol 17 (tunnel_test_mapped), tunnel testing for a module performing the tunnel test Internet Protocol 94 (FW1_Encapsulation), Check Point VPN-1 SecuRemote FWZ Encapsulation Protocol Internet Protocol 112 (Virtual Router Redundancy Protocol), HA for IPSO - since NG AI [[category:check point]] 41de65e138038dd86bcae2cda70f45f5d05badcd 29 2013-02-26T00:27:29Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki 256 /tcp FW1 Check Point VPN-1 & FireWall-1 Service - Download of rulebase from management server to gateway (4.x) - Fetching rulebase from gateway to management server when starting (4.x) - Get topology information from management server or Customer Management Add-on (CMA) to gateway - Full synchronization for HA configuration 257 /tcp FW1_log Check Point Logs - Protocol used for delivering logs from gateway to management server - Protocol used for delivering logs from gateway to CMA or Customer Log Module 258 /tcp FW1_mgmt Check Point VPN-1 & FireWall-1 Management (Version 4.x, obsolete) - Protocol for communInternal Certificate Authority between SmartConsole applInternal Certificate Authority's and the management server 259 /tcp FW1_clntauth, FW1_clntauth_telnet Check Point VPN-1 & FireWall-1 Client AuthentInternal Certificate Authority (Telnet) - Protocol for performing Client-AuthentInternal Certificate Authority at gateway using telnet 259 /udp RDP Check Point VPN-1 FWZ Key Negotiations - Reliable Datagram Protocol - Protocol used for FWZ VPN (supported up to NG FP1 only) - Protocol used by SecuRemote/SCl for checking the availability of the gateway/PS 260 /udp FW1_snmp Check Point SNMP Agent - Check Point's SNMP, used additionally to 161/udp (snmp) 261 /tcp FW1_snauth Check Point Session AuthentInternal Certificate Authority - Protocol for Session AuthentInternal Certificate Authority between gateway and SAA 262 /tcp - not predefined - only internally used by Mail Dequerer (process: mdq) 264 /tcp FW1_topo Check Point VPN-1 SecuRemote Topology Requests - Topology Download for SecuRemote (build 4100 and higher) and SCl 265 /tcp FW1_key Check Point VPN-1 Public Key Transfer Protocol - Protocol for exchanging CA- and DH-keys between management servers (SKIP, FWZ (4.x)) - Public Key download for SecuRemote/SecureClient 900 /tcp FW1_clntauth, FW1_clntauth_http Check Point Client AuthentICA (HTTP) - Protocol for performing Client-AuthentICA at gateway using HTTP 981 /tcp - not predefined - Check Point UTM-1 Edge remote administration from external using HTTPS 2746 /udp VPN1_IPSEC_encapsulation SecuRemote IPSEC Transport Encapsulation Protocol - Default-Protocol used for UDP encapsulation 4532 / tcp - not predefined - only internally used by Session AuthentICA (in.asessiond) 5004 /udp MetaIP-UAT Check Point Meta IP UAM Client-Server Comanagement serverunInternal Certificate Authority 8116 /udp - not predefined - Check Point Cluster Control Protocol - Protocol for communICA between High Availability Cluster Members. Used for e.g. report/query state, probing, load balancing 8989 /tcp - not predefined - only internally used by Customer Management Add-on for Session Authentication 9281 /udp SWTP_Gateway VPN-1 Embedded / SofaWare Management Server (SMS) - Encrypted Protocol for comanagement serverunICA between management server and Check Point Appliance (e.g. VPN-1 Edge) 9282 /udp SWTP_SMS VPN-1 Embedded / SofaWare Management Server (SMS) - Encrypted Protocol for comanagement serverunICA between management server and Check Point Appliance (e.g. VPN-1 Edge) 18181 /tcp FW1_cvp Check Point OPSEC Content Vectoring Protocol - Protocol used for comanagement serverunICA between gateway and AntiVirus Server 18182 /tcp FW1_ufp Check Point OPSEC URL Filtering Protocol - Protocol used for comanagement serverunICA between gateway and Server for Content Control (e.g. Web Content) 18183 /tcp FW1_sam Check Point OPSEC Suspicious Activity Monitor API - Protocol e.g. for Block Intruder between management server (or CMA) and gateway 18184 /tcp FW1_lea Check Point OPSEC Log Export API - Protocol for exporting logs from management server 18185 /tcp FW1_omi Check Point OPSEC Objects Management Interface - Protocol used by applICA's having access to the ruleset saved at management server 18186 /tcp FW1_omi-sic Check Point OPSEC Objects Management Interface with Secure Internal Communication (SIC) - Protocol used by applICA's having access to the ruleset saved at management server 18187 /tcp FW1_ela Check Point OPSEC Event Logging API - Protocol for applICA's logging to the gateway log at management server 18190 /tcp CPMI Check Point Management Interface - Protocol used for communicatopn ICA between the SmartConsole and the SmartCenter/SecurityManagement Server. - Protocol for connections from Multi-Domain GUI to MDS and CMA 18191 /tcp CPD Check Point Daemon Protocol - Download of rulebase from management server to gateway - Fetching rulebase, from gateway to management server when starting gateway - Download of rulebase from CMA/MDS to gateway - Fetching rulebase, from gateway to CMA when starting gateway 18192 /tcp CPD_amon Check Point Internal ApplCA Monitoring - Protocol for getting System Status, from management server or CMA/MDS to gateway 18193 /tcp FW1_amon Check Point OPSEC ApplInternal Certificate Authority Monitoring - Protocol for monitoring apps, e.g. from management server to CVP server 18202 /tcp CP_rtm Check Point RTM Log - Protocol used by Real Time Monitor (SmartView Monitor) 18205 /tcp CP_reporting Check Point Reporting client - Protocol used by Reporting client when connecting to Reporting Server (management server) 18207 /tcp FW1_pslogon Check Point Policy Server Logon protocol - Protocol used for download of Desktop Security from the Policy Server to SecureClient (4.x) 18208 /tcp FW1_CPRID Check Point Remote Installation Protocol - Protocol used from management server to gateway when installing Secure Updates. 18209 /tcp - not predefined - Protocol used in SIC for communication between the management server, containing the Internal Certificate Authority (ICA) and objects, such as gateways and OPSEC applications, managed by the management sever 18210 /tcp FW1_Internal Certificate Authority_pull Check Point ICA Pull - Protocol used by SIC for e.g. gateway pulling certificates from a management server 18211 /tcp FW1_Internal Certificate Authority_push Used to push certificates from the ICA. - Protocol used by SIC for pushing CA's from management server or CMA/MDS to gateway 18212 /udp FW1_load_agent Check Point ConnectControl Load Agent - Default-Port for Load Agent running on load-balanced Servers (e.g. WWW, FTP) 18221 /tcp CP_redundant Check Point Redundant Management Protocol - Protocol used for synchronizing primary and secondary management server - Protocol used for synchronizing CMA between primary and secondary MDS 18231 /tcp FW1_pslogon_NG Check Point NG Policy Server Logon protocol (NG) - Protocol used for download of Desktop Security from the Policy Server to SecureClient 18232 /tcp FW1_sds_logon Check Point SecuRemote Distribution Server Protocol - Protocol for software distribution of Check Point components 18233 /udp FW1_scv_keep_alive Check Point SecureClient VerifICA KeepAlive Protocol - Protocol for Secure Configuration VerifICA on SecureClient 18234 /udp tunnel_test Check Point tunnel testing ICA - Protocol for testing ICA through VPN, used by SecuRemote/SecureClient 18241 /udp E2ECP Check Point End to End Control Protocol - Protocol to check SLA's defined in Virtual Links by SmartView Monitor 18262 /tcp CP_Exnet_PK Check Point Extrnet public key advertisement - Protocol for exchange of public keys when configuring Extranet not supported since NG AI R55 18263 /tcp CP_Exnet_resolve Check Point Extranet remote objects resolution - Protocol for importing exported objects from partner in Extranet not supported since NG AI R55 18264 /tcp FW1_Internal Certificate Authority_services Check Point ICA Fetch CRL and User Registration Services - Protocol for Certificate Revocation Lists and registering users when using the Policy Server - needed when e.g. gateway is starting 18265 /tcp FW1_Internal Certificate Authority_mgmt_tools Check Point ICA Management Tools - Protocol for managing the ICA, also used for central administration of Internal Certificate Authority on the management server. - needs to be started separately with the comanagement server and cpca_client 19190 /tcp FW1_netso Check Point User Authority simple protocol - Protocol used for UserAuthority for connecting from the UserAuthority Server to the Web Plugin when authenticating using certificates generated by the ICA 19191 /tcp FW1_uaa Check Point OPSEC User Authority API - Protocol for connections to the UserAuthority Server 19194 /udp CP_SecureAgent-udp SecureAgent Authentication ICA service 19195 /udp CP_SecureAgent-udp SecureAgent Authentication tICA service 60709 /tcp - not predefined - Internally used by SecurePlatform for web based system administration (process: cpwmd). Bound to localhost, so no remote connect is possible. 65524 /tcp FW1_sds_logon_NG Check Point SecuRemote Distribution Server Protocol - Protocol for software distribution of Check Point components in Next Generation Additionally defined: Internet Protocol 17 (tunnel_test_mapped), tunnel testing for a module performing the tunnel test Internet Protocol 94 (FW1_Encapsulation), Check Point VPN-1 SecuRemote FWZ Encapsulation Protocol Internet Protocol 112 (Virtual Router Redundancy Protocol), HA for IPSO - since NG AI [[category:check point]] Check point state sync interface problem 0 21 25 2013-02-26T00:21:14Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki '''Problem description''' State table sync was not working between firewall-1 and firewall-2 after upgrading from R65 to R70.1. Fw ctl pstat showed sync packets sent, but zero received on both firewalls. The aggregate link was setup properly in IPSO and the firewalls could ping each other’s sync interfaces. The real problem symptom was that the firewall didn’t recognize any of its interfaces as being sync interfaces as seen below. Also, the configuration of the firewalls was double checked by Mark Stapp and Check Point support. All firewall configurations appeared to be correct. '''Symptoms''' 1) Local cpha shows down Example: firewall-1[admin]# '''cphaprob stat''' Cluster Mode: Sync only (IPSO cluster) Number Unique Address Firewall State (*) 2 (local) none Down 2) Cpha interface listing show no sync interfaces configured. However; state sync is enabled properly on the firewall cluster object in the topology and 3rd party configuration options. Example: firewall-2[admin]# cphaprob -a if eth-s4p1c0 non sync(non secured) eth-s1p1c0 non sync(non secured) eth-s1p2c0 non sync(non secured) ae1c0 non sync(non secured) Warning: Sync will not function since there aren't any sync(secured) interfaces Virtual cluster interfaces: 2 eth-s1p1c0 192.168.100.12 eth-s1p2c0 192.168.254.11 Solution: Some of the steps from the SK39047 linked below were used. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk39047&js_peid=P-114a7bc3b09-10006&partition=General&product=Security What I ended up doing on firewall-1 was… 1) cpconfig > option 7 > Disable cluster membership for this gateway 2) cpconfig > option 7 > Enable cluster membership for this gateway 3) reboot Afterwards, I had a sync interface on firewall-1. I plan to perform the same function on firewall-2. However, a disruptive failover from firewall-2 to firewall-1 will be required. Since state sync is broken, the failover will severe any statefull connections traversing the upper-rail. After the procedure above was run… firewall-1[admin]# cphaprob -a if eth-s1p1c0 non sync(non secured) eth-s1p2c0 non sync(non secured) eth-s4p1c0 non sync(non secured) ae1c0 sync(secured), multicast <<< hurray!!! Virtual cluster interfaces: 2 eth-s1p1c0 192.168.100.12 eth-s1p2c0 192.168.254.11 firewall-1[admin]# cphaprob stat Cluster Mode: Sync only (IPSO cluster) Number Unique Address Firewall State (*) 1 (local) 1.1.1.1 Active <<<< whoopee!!! [[category:check point]] Checking for queue drops 0 28 32 2013-02-26T00:38:50Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki ipsctl -a |egrep "in_qdrop|out_qdrop" [[category:check point]] Clish logical interfaces 0 72 546 545 2014-11-07T15:16:33Z Nighthawk 1 wikitext text/x-wiki from the manual... When adding a logical interface (in addition to the default logical interface), specify the physical interface. When adding a logical interface, you must specify a VLAN ID. example: add interface eth4 vlanid 2544 address 192.168.1.1/24 == delete interface ip == delete interface eth-s4p1c0 address 192.168.1.1 [[category:nokia]] 545 207 2014-11-07T15:15:52Z Nighthawk 1 /* delete interface ip */ wikitext text/x-wiki from the manual... When adding a logical interface (in addition to the default logical interface), specify the physical interface. When adding a logical interface, you must specify a VLAN ID. example: add interface eth4 vlanid 2544 address 172.24.108.1/30 == delete interface ip == delete interface eth-s4p1c0 address 192.168.1.1 [[category:nokia]] 207 101 2013-08-23T22:15:50Z Nighthawk 1 wikitext text/x-wiki from the manual... When adding a logical interface (in addition to the default logical interface), specify the physical interface. When adding a logical interface, you must specify a VLAN ID. example: add interface eth4 vlanid 2544 address 172.24.108.1/30 == delete interface ip == delete interface eth-s4p1c0 address 171.178.245.11 [[category:nokia]] 101 2013-05-17T18:25:59Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki from the manual When adding a logical interface (in addition to the default logical interface), specify the physical interface. When adding a logical interface, you must specify a VLAN ID. example: add interface eth4 vlanid 2544 address 172.24.108.1/30 == delete interface ip == delete interface eth-s4p1c0 address 171.178.245.11 [[category:nokia]] Configuring Security Gateway Modules as Up or Down (asg blade admin) 0 153 426 425 2014-04-20T03:08:47Z Nighthawk 1 wikitext text/x-wiki '''Configuring Security Gateway Modules as Up or Down (asg_blade_admin)''' '''Description:''' Administer the Security Gateway Modules (blades). Administratively turn the blades on and off. '''Syntax''' asg_blade_admin -b blade_string <up|down> [-p] {| ! Parameter ! Description |- | blade_string | List of Security Gateway Modules. For example: 1_01 Chassis 1 SGM 1 1_03-1_05 Chassis 1 SGMs 3, 4 and 5. 1_01,1_03-1_05 Combination of previous two items all All SGMs (including chassis 2, if applicable) chassis1 All SGMs in Chassis 1 chassis2 All SGMs in chassis 2 chassis_active All SGMs in the active chassis |- | -p | Persistent. TheDisplay usage setting iskept after reboot. |- | -h | Display usage |} Example # asg_blade_admin -b 2_03 up -p [[category:61000]] 425 424 2014-04-20T02:55:34Z Nighthawk 1 wikitext text/x-wiki '''Configuring Security Gateway Modules as Up or Down (asg_blade_admin)''' '''Description:''' Administer the Security Gateway Modules (blades). Administratively turn the blades on and off. '''Syntax''' asg_blade_admin -b blade_string <up|down> [-p] {| ! Parameter ! Description |- | blade_string | List of Security Gateway Modules. For example: 1_01 Chassis 1 SGM 1 1_03-1_05 Chassis 1 SGMs 3, 4 and 5. 1_01,1_03-1_05 Combination of previous two items all All SGMs (including chassis 2, if applicable) chassis1 All SGMs in Chassis 1 chassis2 All SGMs in chassis 2 chassis_active All SGMs in the active chassis |- | -p | Persistent. TheDisplay usage setting iskept after reboot. |- | -h | Display usage |} Example # asg_blade_admin -b 2_03 up -p [[category:61000]] 424 423 2014-04-20T02:55:13Z Nighthawk 1 wikitext text/x-wiki '''Configuring Security Gateway Modules as Up or Down (asg_blade_admin)''' '''Description:''' Administer the Security Gateway Modules (blades). Administratively turn the blades on and off. '''Syntax''' asg_blade_admin -b blade_string <up|down> [-p] {| ! Parameter ! Description |- | blade_string | List of Security Gateway Modules. For example: 1_01 Chassis 1 SGM 1 1_03-1_05 Chassis 1 SGMs 3, 4 and 5. 1_01,1_03-1_05 Combination of previous two items all All SGMs (including chassis 2, if applicable) chassis1 All SGMs in Chassis 1 chassis2 All SGMs in chassis 2 chassis_active All SGMs in the active chassis |_ | -p | Persistent. TheDisplay usage setting iskept after reboot. |- | -h | Display usage |} Example # asg_blade_admin -b 2_03 up -p [[category:61000]] 423 422 2014-04-20T02:53:02Z Nighthawk 1 wikitext text/x-wiki '''Configuring Security Gateway Modules as Up or Down (asg_blade_admin)''' '''Description:''' Administer the Security Gateway Modules (blades). Administratively turn the blades on and off. '''Syntax''' asg_blade_admin -b blade_string <up|down> [-p] {| ! Parameter ! Description |- | blade_string | List of Security Gateway Modules. For example: 1_01 Chassis 1 SGM 1 1_03-1_05 Chassis 1 SGMs 3, 4 and 5. 1_01,1_03-1_05 Combination of previous two items all All SGMs (including chassis 2, if applicable) chassis1 All SGMs in Chassis 1 chassis2 All SGMs in chassis 2 chassis_active All SGMs in the active chassis |_ | -p | Persistent. TheDisplay usage setting iskept after reboot. |- | -h | Display usage |} Example # asg_blade_admin -b 2_03 up -p [[category:61000]] 422 2014-04-20T02:52:18Z Nighthawk 1 Created page with "'''Configuring Security Gateway Modules as Up or Down (asg_blade_admin)''' '''Description''' Administer the Security Gateway Modules (blades). Administratively turn the blad..." wikitext text/x-wiki '''Configuring Security Gateway Modules as Up or Down (asg_blade_admin)''' '''Description''' Administer the Security Gateway Modules (blades). Administratively turn the blades on and off. '''Syntax''' asg_blade_admin -b blade_string <up|down> [-p] {| ! Parameter ! Description |- | blade_string | List of Security Gateway Modules. For example: 1_01 Chassis 1 SGM 1 1_03-1_05 Chassis 1 SGMs 3, 4 and 5. 1_01,1_03-1_05 Combination of previous two items all All SGMs (including chassis 2, if applicable) chassis1 All SGMs in Chassis 1 chassis2 All SGMs in chassis 2 chassis_active All SGMs in the active chassis |_ | -p | Persistent. TheDisplay usage setting iskept after reboot. |- | -h | Display usage |} Example # asg_blade_admin -b 2_03 up -p [[category:61000]] Configuring a Chassis as Up or Down 0 147 414 413 2014-04-12T06:04:14Z Nighthawk 1 wikitext text/x-wiki Configuring a Chassis as Up or Down Syntax asg_chassis_admin -c <chassis_id> <down|up> {| cellspacing="1" border="1" ! Parameter ! Description |- | chassis_id | ID of one chassis to be modified (1 / 2) |- | down | up | Chassis state |} Example # asg_chassis_admin -c 2 down [[category:61000]] [[category:HA]] 413 412 2014-04-12T06:03:12Z Nighthawk 1 wikitext text/x-wiki Configuring a Chassis as Up or Down Syntax asg_chassis_admin -c <chassis_id> <down|up> {| cellspacing="5" border="1" ! Parameter ! Description |- | chassis_id | ID of one chassis to be modified (1 / 2) |- | down | up | Chassis state |} Example # asg_chassis_admin -c 2 down [[category:61000]] [[category:HA]] 412 411 2014-04-12T06:02:41Z Nighthawk 1 wikitext text/x-wiki Configuring a Chassis as Up or Down Syntax asg_chassis_admin -c <chassis_id> <down|up> {| ! Parameter ! Description |- | chassis_id | ID of one chassis to be modified (1 / 2) |- | down | up | Chassis state |} Example # asg_chassis_admin -c 2 down [[category:61000]] [[category:HA]] 411 410 2014-04-12T05:59:47Z Nighthawk 1 wikitext text/x-wiki Configuring a Chassis as Up or Down Syntax asg_chassis_admin -c <chassis_id> <down|up> Parameter Description chassis_id: ID of one chassis to be modified (1 / 2) down | up: Chassis state Example # asg_chassis_admin -c 2 down [[category:61000]] [[category:HA]] 410 2014-04-12T05:59:33Z Nighthawk 1 Created page with "Configuring a Chassis as Up or Down Syntax asg_chassis_admin -c <chassis_id> <down|up> Parameter Description chassis_id: ID of one chassis to be modified (1 / 2) down | u..." wikitext text/x-wiki Configuring a Chassis as Up or Down Syntax asg_chassis_admin -c <chassis_id> <down|up> Parameter Description chassis_id: ID of one chassis to be modified (1 / 2) down | up: Chassis state Example # asg_chassis_admin -c 2 down [[category:61000]] [[category:HA]] Cpha / firewall sync troubleshooting 0 35 163 40 2013-07-15T18:05:15Z Nighthawk 1 wikitext text/x-wiki Commands to run: # cphaprob state # cphaprob -ia list # cphaprob -a if # fw ctl pstat # cphaprob syncstat 40 2013-02-27T20:02:19Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki Commands to run: # cphaprob state # cphaprob -ia list # cphaprob -a if # fw ctl pstat Cpha status / cphaprob stat down problem 0 16 20 2013-02-25T22:55:10Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == Problem Description == 1) '''cphaprob stat''' shows the partner firewall status is down on BOTH nodes of an HA pair. '''Example:''' firewall-1[admin]# '''cphaprob stat''' Cluster Mode: Sync only (IPSO cluster) Number Unique Address Firewall State (*) 1 (local) 10.10.30.2 Active 2 10.10.30.3 Down 2) fw ctl pstat shows zero packets recieved on BOTH nodes Example: firewall-2[admin]# '''fw ctl pstat|grep -C 1 Sync''' Sync: Version: new Status: Able to Send/Receive sync packets Sync packets sent: total : 326990, retransmitted : 0, retrans reqs : 0, acks : 0 Sync packets received: total : 0, were queued : 0, dropped by net : 0 3) tcpdumps on the sync interface only show OUTBOUND packets, no INBOUND packets (2nd field O=outbound packet) 23:46:26.358170 O 00:00:00:00:fe:00 (oui XEROX CORPORATION) > 01:00:5e:0a:1e:fa (oui Unknown), ethertype NOK sync (0x7005), length 78: CPHA 0.0.0.0.8116 > 10.10.30.0.8116: ifc 0 smach 0 dmach 65534 op ifc-cfg-resp 23:46:26.358173 O 00:00:00:00:fe:00 (oui XEROX CORPORATION) > 01:00:5e:0a:1e:fa (oui Unknown), ethertype NOK sync (0x7005), length 78: CPHA 0.0.0.0.8116 > 10.10.30.0.8116: ifc 0 smach 0 dmach 65534 op ifc-cfg-resp 23:46:26.459135 O 00:00:00:00:fe:00 (oui XEROX CORPORATION) > 01:00:5e:0a:1e:fa (oui Unknown), ethertype NOK sync (0x7005), length 218: CPHA 0.0.0.0.8116 > 10.10.30.0.8116: ifc 0 smach 0 dmach 65534 op new-sync 4) Sync mode set to multicast crx-dev1[admin]# '''cphaprob -a if''' eth4c0 sync(secured), broadcast eth2c1 non sync(non secured) eth2c0 non sync(non secured) eth3c0 sync(secured), broadcast eth1c1 non sync(non secured) == Possible Causes: == Switch problem, physical NIC / cabling problem. == Solution: == for this case... the sync mode was changed from multicast to broadcast firewall-1[admin]# '''cphaconf set_ccp broadcast''' run "cphaprob stat" again and it will show active/active if this fix worked. [[category:check point]] Cpha status / cphaprob stat down problem on one firewall only 0 24 28 2013-02-26T00:26:58Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == Problem Description == '''Symptom 1:''' '''cphaprob stat''' shows the partner firewall status is down on '''only one''' nodes of an HA pair. {| cellspacing="5" border="1" ! Firewall #1 ! Firewall #2 |- | firewall1[admin]# '''cphaprob stat''' Cluster Mode: Sync only (IPSO cluster) Number Unique Address Firewall State (*) 1 (local) 10.206.15.1 Active 2 10.206.15.2 Active | firewall2[admin]# '''cphaprob stat''' Cluster Mode: Sync only (IPSO cluster) Number Unique Address Firewall State (*) 1 10.206.15.1 Down 2 (local) 10.206.15.2 Active |} '''Symptom 2:''' sync packets are sent and received in on direction only as seen in the incrementing stats {| cellspacing="5" border="1" ! Firewall #1 ! Firewall #2 |- | firewall1[admin]# '''fw ctl pstat | grep -A 1 "Sync p" | awk '{print $1,$2,$3}'''' Sync packets sent: total : 196731, Sync packets received: total : 17342 firewall1[admin]# '''fw ctl pstat | grep -A 1 "Sync p" | awk '{print $1,$2,$3}'''' Sync packets sent: total : 196819, Sync packets received: total : 17382 | firewall2[admin]# '''fw ctl pstat | grep -A 1 "Sync p" | awk '{print $1,$2,$3}'''' Sync packets sent: total : 970, Sync packets received: total : 6, '''<<< not incrementing''' firewall2[admin]# '''fw ctl pstat | grep -A 1 "Sync p" | awk '{print $1,$2,$3}' ''' Sync packets sent: total : 1050, Sync packets received: total : 6, '''<<< not incrementing''' |} == Root Cause == possible mismatch between sychonization broadcast/multicast modes {| cellspacing="5" border="1" ! Firewall #1 ! Firewall #2 |- | firewall1[admin]# '''cphaprob -a if''' eth1c0 non sync(non secured) eth2c0 non sync(non secured) eth4c0 sync(secured), multicast | firewall2[admin]# '''cphaprob -a if''' eth1c0 non sync(non secured) eth2c0 non sync(non secured) eth4c0 sync(secured), broadcast |} == Solution: == Reset the sync mode on the firewall who's sync packets aren't being received successfully firewall1 [admin]# '''cphaconf set_ccp broadcast''' this should resolve the down status and sync sent / received issues {| cellspacing="5" border="1" ! Firewall #1 ! Firewall #2 |- | firewall1[admin]# '''cphaprob stat''' Cluster Mode: Sync only (IPSO cluster) Number Unique Address Firewall State (*) 1 (local) 10.206.15.1 Active 2 10.206.15.2 Active | firewall2[admin]# '''cphaprob stat''' Cluster Mode: Sync only (IPSO cluster) Number Unique Address Firewall State (*) 1 10.206.15.1 Active 2 (local) 10.206.15.2 Active |} [[category:check point]] Cphaprob stat active / attention status 0 31 35 2013-02-27T18:30:47Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == problem description == ClusterXL shows Active Attention / Interface Active Check Error Vendor Check Point Platform SPLAT Version R65 NGX Firewalls - Checkpoint Tuesday, 23 February 2010 13:21 Share on emailShare on printShare on deliciousShare on twitterShare on diggShare on stumbleuponShare on facebook This article will provide the required troubleshooting steps for resolving the issue of the "Interface Active Check" error within ClusterXL. First of all you spot there is an error within ClusterXL using the following command, root@firewall # '''cphaprob stat''' Cluster Mode: Legacy High Availability (Active Up) Number Unique Address Assigned Load State 192.168.12.1 100% active attention (local) 192.168.12.2 0% down Confirming the issue To pinpoint which part of the ClusterXL Check Point is not happy with run the following command. (This will list all the ClusterXL components and there status`s) 01.root@firewall # cphaprob list 02. 03.Built-in Devices: 04. 05.Device Name: Interface Active Check 06.'''Current state: problem''' 07. 08.Registered Devices: 09. 10.Device Name: Synchronization 11.Registration number: 0 12.Timeout: none 13.Current state: OK 14.Time since last report: 241598 sec 15. 16.Device Name: Filter 17.Registration number: 1 18.Timeout: none 19.Current state: OK 20.Time since last report: 241598 sec 21. 22.Device Name: fwd 23.Registration number: 2 24.Timeout: 2 sec 25.Current state: OK 26.Time since last report: 1 sec 27. 28.Device Name: cphad 29.Registration number: 3 30.Timeout: 2 sec 31.Current state: OK 32.Time since last report: 1 sec From this you can see that the issue is based on the Interface Checking, 1.Device Name: Interface Active Check 2.Current state: problem Checking the Monitored Interfaces Now that we see the error we will need to look a bit closer at the state of the interfaces: 01.root@firewall # cphaprob -a if 02.Required interfaces: 6 03.Required secured interfaces: 1 04. 05.eth4 UP sync(secured), unique, multicast 06.eth0 UP non sync(non secured), shared, multicast 07.eth1 Inbound: DOWN (241522 secs) Outbound: DOWN (241523 secs) non sync(non secured), shared, multicast 08.eth10 UP non sync(non secured), shared, multicast 09.eth11 Disconnected non sync(non secured), unique, broadcast 10.eth2 UP non sync(non secured), unique, multicast 11.eth3 UP non sync(non secured), shared, multicast We can see here that eth1 is still being monitored but is showing as down. When I connect to the other cluster node I see that eth1 is also showing down. == Solution == So in order to ensure that Check Point completely ignores this interface we will need to add this interface to the file "$FWDIR/conf/discntd.if". Below shows you how the file should look once we add eth1 to it. 1.root@firewall # cat $FWDIR/conf/discntd.if 2.eth1 3.eth11 Once you have changed this file on both nodes, re-push the policy and the ClusterXL status should be back to Active/Standy and the output of "cphaprob list" should show no errors. If it appears that this hasnt resolved the issue run a `cphaprob -a if` and confirm that this interface is now showing as disconnected. If the output of `cphaprob stat` is still not showing active/standby run a `cpstop && cpstart` on each node which then should resolve the problem. This occurred on R75.40 splat. Was fixed after a reboot of each node. [[category:check point]] Cpinfo for cma or mds on provider-1 0 2 519 518 2014-07-22T14:54:35Z Nighthawk 1 wikitext text/x-wiki == CMA cpinfo == To generate a cpinfo for the Provider-1/ SiteManager-1 CMA or MDS, proceed as follows. To collect cpinfo from the relevant CMA that manages the Security Gateway : Login to the MDS as "superuser". Look at the list of all Customers (CMAs) by running: mdsstat Set the environment for the Customer by running: mdsenv <customer_name> For example, for the Customer "test" the syntax is: mdsenv test (This sets the environment specifically for the Customer "test", a setting that is different from the MDS environment settings.) Verify the correct environment by running: echo $FWDIR This displays the correct path for the CMA. For example, the response will be: /opt/CPmds-R65/customers/<customer_name>/CPsuite-R65/fw1/ Collect cpinfo by using exactly this syntax: cpinfo -c <cma_name> -z -n -o /var/cma.cpinfo Please send Check Point Support this file: /var/cma.cpinfo.gz == MDS cpinfo== Log into the MDS as "superuser". Set the environment for the entire MDS by running: mdsenv Verify the correct environment by running: echo $FWDIR For example, the response will be: /opt/CPmds-R65/ Collect cpinfo: cpinfo -z -n -o /var/mds.cpinfo Please send Check Point Support this file: /var/mds.cpinfo.gz [[category:cpinfo]] 518 3 2014-07-22T14:54:20Z Nighthawk 1 wikitext text/x-wiki == SOLUTION == To generate a cpinfo for the Provider-1/ SiteManager-1 CMA or MDS, proceed as follows. To collect cpinfo from the relevant CMA that manages the Security Gateway : Login to the MDS as "superuser". Look at the list of all Customers (CMAs) by running: mdsstat Set the environment for the Customer by running: mdsenv <customer_name> For example, for the Customer "test" the syntax is: mdsenv test (This sets the environment specifically for the Customer "test", a setting that is different from the MDS environment settings.) Verify the correct environment by running: echo $FWDIR This displays the correct path for the CMA. For example, the response will be: /opt/CPmds-R65/customers/<customer_name>/CPsuite-R65/fw1/ Collect cpinfo by using exactly this syntax: cpinfo -c <cma_name> -z -n -o /var/cma.cpinfo Please send Check Point Support this file: /var/cma.cpinfo.gz == MDS cpinfo== Log into the MDS as "superuser". Set the environment for the entire MDS by running: mdsenv Verify the correct environment by running: echo $FWDIR For example, the response will be: /opt/CPmds-R65/ Collect cpinfo: cpinfo -z -n -o /var/mds.cpinfo Please send Check Point Support this file: /var/mds.cpinfo.gz [[category:cpinfo]] 3 2 2013-02-25T21:56:43Z Nighthawk 1 wikitext text/x-wiki == SOLUTION == To generate a cpinfo for the Provider-1/ SiteManager-1 CMA or MDS, proceed as follows. To collect cpinfo from the relevant CMA that manages the Security Gateway : Login to the MDS as "superuser". Look at the list of all Customers (CMAs) by running: mdsstat Set the environment for the Customer by running: mdsenv <customer_name> For example, for the Customer "test" the syntax is: mdsenv test (This sets the environment specifically for the Customer "test", a setting that is different from the MDS environment settings.) Verify the correct environment by running: echo $FWDIR This displays the correct path for the CMA. For example, the response will be: /opt/CPmds-R65/customers/<customer_name>/CPsuite-R65/fw1/ Collect cpinfo by using exactly this syntax: cpinfo -c <cma_name> -z -n -o /var/cma.cpinfo Please send Check Point Support this file: /var/cma.cpinfo.gz To collect cpinfo from the MDS Log into the MDS as "superuser". Set the environment for the entire MDS by running: mdsenv Verify the correct environment by running: echo $FWDIR For example, the response will be: /opt/CPmds-R65/ Collect cpinfo: cpinfo -z -n -o /var/mds.cpinfo Please send Check Point Support this file: /var/mds.cpinfo.gz [[category:cpinfo]] 2 2013-02-25T21:55:34Z Nighthawk 1 Created page with "SOLUTION To generate a cpinfo for the Provider-1/ SiteManager-1 CMA or MDS, proceed as follows. To collect cpinfo from the relevant CMA that manages the Security Gateway : ..." wikitext text/x-wiki SOLUTION To generate a cpinfo for the Provider-1/ SiteManager-1 CMA or MDS, proceed as follows. To collect cpinfo from the relevant CMA that manages the Security Gateway : Login to the MDS as "superuser". Look at the list of all Customers (CMAs) by running: mdsstat Set the environment for the Customer by running: mdsenv <customer_name> For example, for the Customer "test" the syntax is: mdsenv test (This sets the environment specifically for the Customer "test", a setting that is different from the MDS environment settings.) Verify the correct environment by running: echo $FWDIR This displays the correct path for the CMA. For example, the response will be: /opt/CPmds-R65/customers/<customer_name>/CPsuite-R65/fw1/ Collect cpinfo by using exactly this syntax: cpinfo -c <cma_name> -z -n -o /var/cma.cpinfo Please send Check Point Support this file: /var/cma.cpinfo.gz To collect cpinfo from the MDS Log into the MDS as "superuser". Set the environment for the entire MDS by running: mdsenv Verify the correct environment by running: echo $FWDIR For example, the response will be: /opt/CPmds-R65/ Collect cpinfo: cpinfo -z -n -o /var/mds.cpinfo Please send Check Point Support this file: /var/mds.cpinfo.gz [[category:cpinfo]] Creating calculate GB in one days of logs for MLM 0 219 694 693 2017-10-03T16:11:41Z Nighthawk 1 wikitext text/x-wiki to get log quantity for the last 24 hours(in GB on R77)... mcd customers # for CLM in *; do mdsenv $CLM; find $CLM/CPsuite-R77/fw1/log/*.log -mtime -1 | xargs ls -l | awk '{s+=$5} END {printf "%.0f", s; print "/1024/1024/1024"}' | bc -l; done | awk '{s+=$1} END {print s}' get logs in GB per day for the last 7 days(R77)... for CLM in *; do mdsenv $CLM; echo $CLM; for DAY in 1 2 3 4 5 6 7; do find $CLM/CPsuite-R77/fw1/log/*.log -mtime +`echo $DAY` -a -mtime -`expr $DAY + 2` | xargs ls -l | awk '{s+=$5} END {printf "%.0f", s; print "/1024/1024/1024"}' | bc -l; done; done [[category:mlm]] [[category:logging]] 74905f517dca52a553d74da7377db2227ad410ad 693 692 2017-10-03T15:45:02Z Nighthawk 1 wikitext text/x-wiki to get log quantity for the last 24 hours(in GB)... mcd customers # for CLM in *; do mdsenv $CLM; find $CLM/CPsuite-R77/fw1/log/*.log -mtime -1 | xargs ls -l | awk '{s+=$5} END {printf "%.0f", s; print "/1024/1024/1024"}' | bc -l; done | awk '{s+=$1} END {print s}' [[category:mlm]] [[category:logging]] 199045a79a024652ab2054308f9f81cf570c318a 692 691 2017-10-03T15:44:50Z Nighthawk 1 wikitext text/x-wiki to get log quantity for the last 24 hours... mcd customers # for CLM in *; do mdsenv $CLM; find $CLM/CPsuite-R77/fw1/log/*.log -mtime -1 | xargs ls -l | awk '{s+=$5} END {printf "%.0f", s; print "/1024/1024/1024"}' | bc -l; done | awk '{s+=$1} END {print s}' [[category:mlm]] [[category:logging]] e6580e683593053603348c8ea0efda3c76739028 691 690 2017-10-03T15:44:41Z Nighthawk 1 wikitext text/x-wiki to get log quantity for the last 24 hours... mcd customers # for CLM in *; do mdsenv $CLM; find $CLM/CPsuite-R77/fw1/log/*.log -mtime -1 | xargs ls -l | awk '{s+=$5} END {printf "%.0f", s; print "/1024/1024/1024"}' | bc -l; done | awk '{s+=$1} END {print s}' 64.5209 [[category:mlm]] [[category:logging]] 96bd6a93ffb546da815fc38ad7917bf3851df7c3 690 2017-10-03T15:43:59Z Nighthawk 1 Created page with " mcd customers # for CLM in *; do mdsenv $CLM; find $CLM/CPsuite-R77/fw1/log/*.log -mtime -1 | xargs ls -l | awk '{s+=$5} END {printf "%.0f", s; print "/1024/1024/1024"}' | b..." wikitext text/x-wiki mcd customers # for CLM in *; do mdsenv $CLM; find $CLM/CPsuite-R77/fw1/log/*.log -mtime -1 | xargs ls -l | awk '{s+=$5} END {printf "%.0f", s; print "/1024/1024/1024"}' | bc -l; done | awk '{s+=$1} END {print s}' 64.5209 [[category:mlm]] [[category:logging]] 6cf9fdb3a98fbc36e4764d12f38825c5f4f9ea8b Creating objects with dbedit 0 26 30 2013-02-26T00:28:33Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == creating a new host == dbedit> create host_plain ''object_name'' dbedit> modify network_objects ''object_name'' ipaddr 192.168.1.1 dbedit> update network_objects ''object_name'' == creating a new network == dbedit> create network ''network_name'' dbedit> modify network_objects ''network_name'' ipaddr 192.168.1.0 dbedit> modify network_objects ''network_name'' netmask 255.255.255.0 dbedit> update network_objects ''network_name'' == creating and adding objects to a group == dbedit> create network_object_group ''group_name'' dbedit> addelement network_objects ''group_name'' '' network_objects:''object_name'' dbedit> update network_objects ''group_name'' == deleting an object == dbedit> delete network_objects <object_name> == running the script == dbedit -s 192.168.2.100 -u Administrator -p abc123 -f network_script.txt [[category:check point]] Database version manipulation via command line CLI 0 10 11 2013-02-25T22:11:43Z Nighthawk 1 Created page with "== creating a new database version == dbver -s 192.168.1.100 -u username -w my_password -m create version_name`/bin/date +"_%m-%d-%Y-%s"` comments_here == print all existin..." wikitext text/x-wiki == creating a new database version == dbver -s 192.168.1.100 -u username -w my_password -m create version_name`/bin/date +"_%m-%d-%Y-%s"` comments_here == print all existing database versions == dbver -s 192.168.1.100 -u username -w my_password -m print_all [[category:dbver]] Debug fwm on provider-1 mds 0 39 208 44 2013-08-27T03:03:20Z Nighthawk 1 wikitext text/x-wiki When the fwm failed to start after and mdsstart... Type| Name | IP address | FWM | FWD | CPD | CPCA | MDS | 171.186.108.253 | down | down | up 1265 | N/R | Then to start the mds level fwm and get debug messages on std out... fwm -d mds [[category:check point]] 44 2013-03-29T04:05:42Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki When the fwm failed to start after and mdsstart... Type| Name | IP address | FWM | FWD | CPD | CPCA | MDS | 171.186.108.253 | down | down | up 1265 | N/R | Then to start the mds level fwm and get debug messages on std out... fwm -d mds [[category:check point]] Fw ctl zdebug command reference 0 37 42 2013-03-26T20:33:50Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki example: fw ctl zdebug drop|grep ''ip_address'' [[category:check point]] Fw monitor 0 42 161 160 2013-07-07T15:49:23Z Nighthawk 1 wikitext text/x-wiki '''4 chain, all bidirectional traffic between 2 hosts''' fw monitor -m iIoO -e "accept src=192.168.1.1 and dst=10.0.0.1; accept src=10.0.0.1 and dst=192.168.0.1;" '''capture icmp packets only from host x''' fw monitor -m iIoO -e "ip_p=1,host(192.168.1.1), accept;" Usual Capture Capture everything, save the data into the file: [Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap Capture everything between host X and host Y: [Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap [Expert@HostName]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o /var/log/fw_mon.cap Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains: [Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap Capture everything to/from host X or to/from host Y or to/from host Z: [Expert@HostName]# fw monitor -e "((accept (src=x.x.x.x or dst=x.x.x.x)) or (accept (src=y.y.y.y or dst=y.y.y.y)) or (accept (src=z.z.z.z or dst=z.z.z.z)));" -o /var/log/fw_mon.cap [Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(=y.y.y.y) or host(=z.z.z.z), accept;" -o /var/log/fw_mon.cap Port Specific Capture Capture everything to/from port X: [Expert@HostName]# fw monitor -e "accept (sport=x or dport=x);" -o /var/log/fw_mon.cap [Expert@HostName]# fw monitor -e "port(x), accept;" -o /var/log/fw_mon.cap Capture everything except port X: [Expert@HostName]# fw monitor -e "accept not (sport=x or dport=x);" -o /var/log/fw_mon.cap [Expert@HostName]# fw monitor -e "((sport=!x) or (dport=!x)), accept;" -o /var/log/fw_mon.cap Capture everything except SSH: [Expert@HostName]# fw monitor -e "accept not (sport=22 or dport=22);" -o /var/log/fw_mon.cap [Expert@HostName]# fw monitor -e "((sport!=22) or (dport!=22)), accept;" -o /var/log/fw_mon.cap Capture everything to/from host X except SSH: [Expert@HostName]# fw monitor -e "((accept (src=x.x.x.x or dst=x.x.x.x)) and (accept not (sport=22 or dport=22)));" -o /var/log/fw_mon.cap [Expert@HostName]# fw monitor -e "((host(x.x.x.x) and (sport!=22 or dport!=22)), accept;" -o /var/log/fw_mon.cap Protocol Specific Capture Note: Protocol number in the syntax has to be provided in Decimal format. Refer to '/etc/protocols' file on the machine, or to 'www.iana.org/assignments/protocol-numbers/' Capture everything on protocol X: [Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o /var/log/fw_mon.cap Everything on protocol X and port Z on protocol Y: [Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)), accept;" -o /var/log/fw_mon.cap Capture everything TCP between host X and host Y: [Expert@HostName]# fw monitor -e "ip_p=6, host(x.x.x.x) or host(=y.y.y.y), accept;" -o /var/log/fw_mon.cap [Expert@HostName]# fw monitor -e "accept [9:1]=9 , ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x));" [Expert@HostName]# fw monitor -e "ip_p=6, ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap Bytes Specific Capture Simple checks are used to check for a value at a specific offset in the packet: [Expert@HostName]# fw monitor -e "accept [ offset : length , order ] relational-operator value;" Field Explanation offset specifies the offset relative to the beginning of the IP packet from where the value should be read. length specifies the number of bytes and can be 1 (byte), 2 (word), or 4 (dword). If length is not specified, 'FW Monitor' assumes 4 (dword). order specifies the byte order. Possible values are b (big endian), or l (little endian, or host order). If order is not specified, 'FW Monitor' assumes little endian byte order. relational-operator is a relational operator to express the relation between the packet data and the value: < less than > greater than <= less than or equal to >= greater than = or is equal to != or is not not equal to value is one of the data types known to INSPECT (e.g., an IP address, or an integer). The IP-based protocols are stored in the IP packet as a byte at offset 9: To filter based on a Protocol encapsulated into IP, use "accept [9:1]=Protocol_Number_in_Decimal_format;" syntax The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12 (Source address) and at offset 16 (Destination address): To filter based on a Source IP address, use "accept [12:4,b]=IP_Address_in_Doted_Decimal_format;" syntax To filter based on a Destination IP address, use "accept [16:4,b]=IP_Address_in_Doted_Decimal_format;" syntax The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and at offset 22 (Destination port): To filter based on a Source port, use "accept [20:2,b]=Port_Number_in_Decimal_format;" syntax To filter based on a Destination port, use "accept [22:2,b]=Port_Number_in_Decimal_format;" syntax Capture everything between host X and host Y: [Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x , [16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y , [16:4,b]=x.x.x.x));" Capture everything on port X: [Expert@HostName]# fw monitor -e "accept [20:2,b]=x or [22:2,b]=x;" -o /var/log/fw_mon.cap Network Specific Capture Capture everything on network 192.168.33.0/24: [Expert@HostName]# fw monitor -e "net={<192.168.33.0,192.168.33.255>}; dst in net, accept;" Examples Capture ESP protocol or UDP port 161 (SNMP): [Expert@HostName]# fw monitor -e "(ip_p=50) or (ip_p=17, port(161)), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 & Filter out the usual garbage (SMTP, POP3, SSH, Microsoft NetBIOS, Check Point ClusterXL CCP): [Expert@HostName]# fw monitor -e "(sport!=25) and (dport!=25) and (sport!=110) and (dport!=110) and (sport!=22) and (dport!=22) and (sport!=137) and (dport!=137) and (sport!=8116) and (dport!=8116), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 & Filter out the usual garbage (filter in only TCP protocol, and HTTP and HTTPS ports ; filter out the SSH and FW Logs): [Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22 or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap > /dev/null 2>&1 & Capture Edge communication on UDP ports 9281, 9282, 9283: [Expert@HostName]# fw monitor -e "ip_p=17, (host(10.10.10.10) or host(20.20.20.20) or host(30.30.30.30)) and (port(9281) or port(9282) or port(9283)), accept;" -o /var/log/fw_mon.cap [[category:check point]] 160 47 2013-07-06T19:30:32Z Nighthawk 1 wikitext text/x-wiki '''4 chain, all bidirectional traffic between 2 hosts''' fw monitor -m iIoO -e "accept src=192.168.1.1 and dst=10.0.0.1; accept src=10.0.0.1 and dst=192.168.0.1;" '''capture icmp packets only from host x''' fw monitor -m iIoO -e "ip_p=1,host(192.168.1.1), accept;" [[category:check point]] 47 2013-04-12T15:37:29Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki '''4 chain, all bidirectional traffic between 2 hosts''' fw monitor -m iIoO -e "accept src=192.168.1.1 and dst=10.0.0.1; accept src=10.0.0.1 and dst=192.168.0.1;" [[category:check point]] Fwd restart via CLI 0 11 314 313 2013-11-15T23:09:24Z Nighthawk 1 wikitext text/x-wiki == Problem== 1) A firewall is logging locally. Symptoms will include: A) No new logs are coming into the SmartCenter or CLM according to the SmartViewTracker or fw log command B) The $FWDIR/log/fw.log file is increasing in size on the firewall in question 2) There is not TCP log connection between the firewall fwd process and the log server / SmartCenter / CLM. You should normally see an ESTABLISHED connection when running the following command on a firewall that is configured to log remotely. [Expert@chkpfw]# '''netstat -anp | grep ":257" | grep -v -E "LISTEN|127.0.0.1"''' tcp 0 0 172.16.0.254:48956 192.168.1.100:257 ESTABLISHED 31856/fwd where 172.16.0.254 = local firewall address and 192.168.1.100 = remote log server address == Solution == 1) Make sure fwd is running on the SmartCenter or other logger and that there is free disk space. 2) Restart fwd on the firewall(s). '''command line fwd restart''' '''start command''' # cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd" '''stop command''' # cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd" [[category:logging]] 313 12 2013-11-15T22:53:16Z Nighthawk 1 ! wikitext text/x-wiki == Problem== 1) A firewall is logging locally. If a firewall is logging locally, then... A) No new logs are coming into the SmartCenter or CLM according to the SmartViewTracker or fw log command B) The $FWDIR/log/fw.log file is increasing in size on the firewall in question 2) There is not TCP log connection between the firewall fwd process and the log server / SmartCenter / CLM. You should normally see an ESTABLISHED connection when running the following command on a firewall that is configured to log remotely. [Expert@chkpfw]# '''netstat -an | grep ":257" | grep -v -E "LISTEN|127.0.0.1"''' tcp 0 0 172.16.0.254:48956 192.168.1.100:257 ESTABLISHED == Solution == == command line fwd restart == == stop/start commands == # cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd" # cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd" [[category:logging]] 12 2013-02-25T22:12:53Z Nighthawk 1 Created page with "command line fwd restart == stop/start commands == cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd" cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -..." wikitext text/x-wiki command line fwd restart == stop/start commands == cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd" cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd" Gaia VRRP setup guide 0 118 572 272 2016-02-18T01:59:22Z Nighthawk 1 /* Proxy arps */ wikitext text/x-wiki == create VRID and backup-addresses == from clish prompt, create vrid, add backup-addresses, save config. The commands run are basically the same except for the priority. {| cellspacing="5" border="1" |- | Expert@chkpfw1]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 100 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.11''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' | Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.11''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' |- |- |} == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust(is switching over from CPHA) the config to match the new VRRP MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address == Failover == To control which firewall is master, adjust the priorities. In the beginning we set chkpfw1 priority to 100, and chkpfw2 to 95. If we elevate the priority of the latter, it will become master. Example: chkpfw2> set mcvr vrid 100 priority 105 If you want to leave it that way and have it survive a reboot, you will have to also run a "save config" [[category:vrrp]] [[category:gaia]] 272 271 2013-09-15T10:04:19Z Nighthawk 1 /* create VRID and backup-addresses */ wikitext text/x-wiki == create VRID and backup-addresses == from clish prompt, create vrid, add backup-addresses, save config. The commands run are basically the same except for the priority. {| cellspacing="5" border="1" |- | Expert@chkpfw1]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 100 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.11''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' | Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.11''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' |- |- |} == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address == Failover == To control which firewall is master, adjust the priorities. In the beginning we set chkpfw1 priority to 100, and chkpfw2 to 95. If we elevate the priority of the latter, it will become master. Example: chkpfw2> set mcvr vrid 100 priority 105 If you want to leave it that way and have it survive a reboot, you will have to also run a "save config" [[category:vrrp]] [[category:gaia]] 271 270 2013-09-15T09:24:48Z Nighthawk 1 /* Checking your configuration */ wikitext text/x-wiki == create VRID and backup-addresses == from clish prompt, create vrid, add backup-addresses, save config. The commands run are basically the same except for the priority. {| cellspacing="5" border="1" |- | Expert@chkpfw1]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 100 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' | Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' |- |- |} == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address == Failover == To control which firewall is master, adjust the priorities. In the beginning we set chkpfw1 priority to 100, and chkpfw2 to 95. If we elevate the priority of the latter, it will become master. Example: chkpfw2> set mcvr vrid 100 priority 105 If you want to leave it that way and have it survive a reboot, you will have to also run a "save config" [[category:vrrp]] [[category:gaia]] 270 269 2013-09-15T09:13:10Z Nighthawk 1 /* Failover */ wikitext text/x-wiki == create VRID and backup-addresses == from clish prompt, create vrid, add backup-addresses, save config. The commands run are basically the same except for the priority. {| cellspacing="5" border="1" |- | Expert@chkpfw1]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 100 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' | Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' |- |- |} == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address == Failover == To control which firewall is master, adjust the priorities. In the beginning we set chkpfw1 priority to 100, and chkpfw2 to 95. If we elevate the priority of the latter, it will become master. Example: chkpfw2> set mcvr vrid 100 priority 105 If you want to leave it that way and have it survive a reboot, you will have to also run a "save config" [[category:vrrp]] [[category:gaia]] 269 268 2013-09-15T09:12:02Z Nighthawk 1 wikitext text/x-wiki == create VRID and backup-addresses == from clish prompt, create vrid, add backup-addresses, save config. The commands run are basically the same except for the priority. {| cellspacing="5" border="1" |- | Expert@chkpfw1]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 100 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' | Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' |- |- |} == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address == Failover == To control which firewall is master, adjust the priorities. In the beginning we set chkpfw1 priority to 100, and chkpfw2 to 95. If we elevate the priority of the latter, it will become master. Example: chkpfw2> set mcvr vrid 100 priority 105 [[category:vrrp]] [[category:gaia]] 268 267 2013-09-15T09:06:22Z Nighthawk 1 /* create VRID and backup-addresses */ wikitext text/x-wiki == create VRID and backup-addresses == from clish prompt, create vrid, add backup-addresses, save config. The commands run are basically the same except for the priority. {| cellspacing="5" border="1" |- | Expert@chkpfw1]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 100 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' | Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' |- |- |} == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 267 266 2013-09-15T09:04:23Z Nighthawk 1 /* create VRID and backup-addresses */ wikitext text/x-wiki == create VRID and backup-addresses == from clish prompt, create vrid, add backup-addresses, save config Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 100 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 266 265 2013-09-15T08:47:50Z Nighthawk 1 /* Checking your configuration */ wikitext text/x-wiki == create VRID and backup-addresses == from clish prompt, create vrid, add backup-addresses, save config Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 265 264 2013-09-15T08:47:32Z Nighthawk 1 /* Checking your configuration */ wikitext text/x-wiki == create VRID and backup-addresses == from clish prompt, create vrid, add backup-addresses, save config Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" ! | ! |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 264 263 2013-09-15T08:47:05Z Nighthawk 1 /* Checking your configuration */ wikitext text/x-wiki == create VRID and backup-addresses == from clish prompt, create vrid, add backup-addresses, save config Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" align="left" ! | ! |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 263 261 2013-09-15T08:46:07Z Nighthawk 1 /* from clish prompt, create vrid, add backup-addresses, save config */ wikitext text/x-wiki == create VRID and backup-addresses == from clish prompt, create vrid, add backup-addresses, save config Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" ! align="left" | ! |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 261 260 2013-09-15T08:44:40Z Nighthawk 1 moved [[gaia vrrp setup using CLI]] to [[Gaia VRRP setup guide]] wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" ! align="left" | ! |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 260 259 2013-09-15T08:44:04Z Nighthawk 1 wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Proxy arps == If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs. The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running... [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac''' VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 == Checking your configuration == {| cellspacing="5" border="1" ! align="left" | ! |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 259 258 2013-09-15T08:34:40Z Nighthawk 1 /* Checking your configuration */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Checking your configuration == {| cellspacing="5" border="1" ! align="left" | ! |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 258 257 2013-09-15T08:34:13Z Nighthawk 1 /* Checking your configuration */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Checking your configuration == {| cellspacing="5" border="1" ! align="left"|Item ! Amount |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 257 256 2013-09-15T08:34:02Z Nighthawk 1 /* Checking your configuration */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Checking your configuration == {| cellspacing="5" border="1" ! align="left"|Item ! Amount |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 256 255 2013-09-15T08:33:45Z Nighthawk 1 /* Checking your configuration */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Checking your configuration == {| cellspacing="5" border="1" ! align="left"|Item ! Amount |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 255 254 2013-09-15T08:33:22Z Nighthawk 1 /* Checking your configuration */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Checking your configuration == {| cellspacing="5" border="1" ! align="left"|Item ! Amount |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 254 253 2013-09-15T08:33:11Z Nighthawk 1 /* Checking your configuration */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Checking your configuration == {| cellspacing="5" border="1" ! align="left"|Item ! Amount |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 | [Expert@chkpfw2]# clish -c "show vrrp summary" VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0 |- |- |} Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 253 252 2013-09-15T08:31:09Z Nighthawk 1 /* Checking your configuration */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Checking your configuration == {| cellspacing="5" border="1" ! align="left"|Item ! Amount |- | [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 |row 1, col 2 |- |- |} [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 252 251 2013-09-15T08:30:47Z Nighthawk 1 /* Checking your configuration */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Checking your configuration == {| cellspacing="5" border="1" ! align="left"|Item ! Amount ! Cost |- |row 1, col 1 |row 1, col 2 |- |- |} [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 251 250 2013-09-15T08:28:27Z Nighthawk 1 /* configure cluster object */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Checking your configuration == [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 250 249 2013-09-15T08:28:15Z Nighthawk 1 /* configure cluster object */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP" [[file:chkp_vrrp_cluster_config-1.png]] Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working. [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Checking your configuration == [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 249 239 2013-09-15T08:22:15Z Nighthawk 1 /* configure cluster object */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == [[file:chkp_vrrp_cluster_config-1.png]] [[file:chkp_vrrp_cluster_config-1.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Checking your configuration == [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 239 238 2013-09-13T21:46:25Z Nighthawk 1 /* Add rule to allow vrrp adverstisements */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == [[file:chkp_vrrp_cluster_config.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] == Checking your configuration == [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 238 237 2013-09-13T21:45:00Z Nighthawk 1 /* Add rule to allow vrrp adverstisements */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == [[file:chkp_vrrp_cluster_config.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] '''Checking your configuration''' [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 237 236 2013-09-13T21:40:13Z Nighthawk 1 wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == [[file:chkp_vrrp_cluster_config.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] '''Checking your configuration''' [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 236 235 2013-09-13T21:37:51Z Nighthawk 1 wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == [[file:chkp_vrrp_cluster_config.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] '''Checking your configuration''' [Expert@chkpfw1]# '''clish -c "show vrrp summary"''' VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2 Expert@chkpfw1]# '''ip addr show eth0''' 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address [[category:vrrp]] [[category:gaia]] 235 234 2013-09-13T21:17:58Z Nighthawk 1 wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# '''clish''' chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10''' chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1''' chkpfw2> '''add mcvr vrid 100 backup-address 192.168.1.1''' chkpfw2> '''save config''' == configure cluster object == [[file:chkp_vrrp_cluster_config.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] [[category:vrrp]] [[category:gaia]] 234 233 2013-09-13T21:17:34Z Nighthawk 1 /* create vrid, add backup-addresses, save config */ wikitext text/x-wiki == from clish prompt, create vrid, add backup-addresses, save config == Expert@chkpfw2]# clish chkpfw2> add mcvr vrid 100 priority 95 priority-delta 10 chkpfw2> add mcvr vrid 100 backup-address 172.16.31.1 chkpfw2> add mcvr vrid 100 backup-address 192.168.1.1 chkpfw2> save config == configure cluster object == [[file:chkp_vrrp_cluster_config.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] [[category:vrrp]] [[category:gaia]] 233 232 2013-09-13T21:17:02Z Nighthawk 1 wikitext text/x-wiki == create vrid, add backup-addresses, save config == chkpfw2> add mcvr vrid 100 priority 95 priority-delta 10 chkpfw2> add mcvr vrid 100 backup-address 172.16.31.1 chkpfw2> add mcvr vrid 100 backup-address 192.168.1.1 chkpfw2> save config == configure cluster object == [[file:chkp_vrrp_cluster_config.png]] == Add rule to allow vrrp adverstisements == Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] [[category:vrrp]] [[category:gaia]] 232 230 2013-09-13T21:16:35Z Nighthawk 1 wikitext text/x-wiki create vrid, add backup-addresses, save config chkpfw2> add mcvr vrid 100 priority 95 priority-delta 10 chkpfw2> add mcvr vrid 100 backup-address 172.16.31.1 chkpfw2> add mcvr vrid 100 backup-address 192.168.1.1 chkpfw2> save config configure cluster object [[file:chkp_vrrp_cluster_config.png]] Add rule to allow vrrp adverstisements. Failure to do so will cause master/master status. [[file:chkp_vrrp_rule.png]] [[category:vrrp]] [[category:gaia]] 230 228 2013-09-13T21:15:51Z Nighthawk 1 wikitext text/x-wiki create vrid, add backup-addresses, save config chkpfw2> add mcvr vrid 100 priority 95 priority-delta 10 chkpfw2> add mcvr vrid 100 backup-address 172.16.31.1 chkpfw2> add mcvr vrid 100 backup-address 192.168.1.1 chkpfw2> save config configure cluster object [[file:chkp_vrrp_cluster_config.png]] Add rule to allow vrrp adverstisements. Failure to do so will cause master/master status. [[category:vrrp]] [[category:gaia]] 228 227 2013-09-13T21:05:40Z Nighthawk 1 moved [[gaia vrrp]] to [[gaia vrrp setup using CLI]] wikitext text/x-wiki create vrid, add backup-addresses, save config chkpfw2> add mcvr vrid 100 priority 95 priority-delta 10 chkpfw2> add mcvr vrid 100 backup-address 172.16.31.1 chkpfw2> add mcvr vrid 100 backup-address 192.168.1.1 chkpfw2> save config configure cluster object [[file:chkp_vrrp_cluster_config.png]] [[category:vrrp]] [[category:gaia]] 227 225 2013-09-13T17:38:15Z Nighthawk 1 wikitext text/x-wiki create vrid, add backup-addresses, save config chkpfw2> add mcvr vrid 100 priority 95 priority-delta 10 chkpfw2> add mcvr vrid 100 backup-address 172.16.31.1 chkpfw2> add mcvr vrid 100 backup-address 192.168.1.1 chkpfw2> save config configure cluster object [[file:chkp_vrrp_cluster_config.png]] [[category:vrrp]] [[category:gaia]] 225 224 2013-09-13T17:35:15Z Nighthawk 1 wikitext text/x-wiki chkpfw2> add mcvr vrid 100 priority 95 priority-delta 10 chkpfw2> add mcvr vrid 100 backup-address 172.16.31.1 chkpfw2> add mcvr vrid 100 backup-address 192.168.1.1 chkpfw2> save config [[file:chkp_vrrp_cluster_config.png]] [[category:vrrp]] [[category:gaia]] 224 223 2013-09-13T17:34:42Z Nighthawk 1 wikitext text/x-wiki chkpfw2> add mcvr vrid 100 priority 95 priority-delta 10 chkpfw2> add mcvr vrid 100 backup-address 172.16.31.1 chkpfw2> add mcvr vrid 100 backup-address 192.168.1.1 chkpfw2> save config [file:chkp_vrrp_cluster_config.png] [[category:vrrp]] [[category:gaia]] 223 2013-09-13T17:10:30Z Nighthawk 1 Created page with " chkpfw2> add mcvr vrid 100 priority 95 priority-delta 10 chkpfw2> add mcvr vrid 100 backup-address 172.16.31.1 chkpfw2> add mcvr vrid 100 backup-address 192.168.1.1 chkpf..." wikitext text/x-wiki chkpfw2> add mcvr vrid 100 priority 95 priority-delta 10 chkpfw2> add mcvr vrid 100 backup-address 172.16.31.1 chkpfw2> add mcvr vrid 100 backup-address 192.168.1.1 chkpfw2> save config [[category:vrrp]] [[category:gaia]] Gaia clish config example 0 203 612 2017-02-15T16:56:11Z Nighthawk 1 Created page with " set interface eth1-05 ipv4-address 192.168.253.1 mask-length 24 set interface eth1-05 link-speed 1000M/full" wikitext text/x-wiki set interface eth1-05 ipv4-address 192.168.253.1 mask-length 24 set interface eth1-05 link-speed 1000M/full 8a3607b21d08e6bc31c0fa9b20096a688a76b7ba Get Provider-1 CMA / Mgmt HA synchronization status from the CLI 0 3 467 466 2014-05-20T15:15:33Z Nighthawk 1 moved [[Get Provider-1 CMA synchronization status from the CLI]] to [[Get Provider-1 CMA / Mgmt HA synchronization status from the CLI]] wikitext text/x-wiki == How to retrieve CMA sync status from the CLI == taken from: Solution ID: sk66069 Product: Multi-Domain Management / Provider-1 Version: R75.10 == Solution == 1. Log in to the Primary MDS 2. Run the "mdsenv <Primary-CMA>" command. 3. Run the command with the Secondary CMA as the parameter: # '''cpmistat -o schema -r mg <Secondary-CMA> | grep "mgSyncStatus"''' :mgSyncStatus (Lagging) [[category:provider-1]] 466 4 2014-05-20T15:13:50Z Nighthawk 1 /* Changing the HA status of the Management station from command line */ wikitext text/x-wiki == How to retrieve CMA sync status from the CLI == taken from: Solution ID: sk66069 Product: Multi-Domain Management / Provider-1 Version: R75.10 == Solution == 1. Log in to the Primary MDS 2. Run the "mdsenv <Primary-CMA>" command. 3. Run the command with the Secondary CMA as the parameter: # '''cpmistat -o schema -r mg <Secondary-CMA> | grep "mgSyncStatus"''' :mgSyncStatus (Lagging) [[category:provider-1]] 4 2013-02-25T21:58:32Z Nighthawk 1 Created page with "== How to retrieve CMA sync status from the CLI == taken from: Solution ID: sk66069 Product: Multi-Domain Management / Provider-1 Version: R75.10 == Solution == ..." wikitext text/x-wiki == How to retrieve CMA sync status from the CLI == taken from: Solution ID: sk66069 Product: Multi-Domain Management / Provider-1 Version: R75.10 == Solution == 1. Log in to the Primary MDS 2. Run the "mdsenv <Primary-CMA>" command. 3. Run the command with the Secondary CMA as the parameter: # '''cpmistat -o schema -r mg <Secondary-CMA> | grep "mgSyncStatus"''' :mgSyncStatus (Lagging) == Changing the HA status of the Management station from command line == Solution ID: sk34495 Product: Security Gateway, Multi-Domain Management / Provider-1, SecurePlatform Version: NGX R65, R70, R71, R75 check current status (0 = Standby / 1 = Active) # cpprod_util FwIsActiveManagement Set CMA / Management station to Standby status *** use if primary / secondary CMAs are in active / active state # cpprod_util FwSetActiveManagement 0 Set CMA / Management station to Active status # cpprod_util FwSetActiveManagement 1 [[category:monitoring]] How to add NATs and ARPs on Gaia with VRRP 0 165 456 2014-05-12T19:02:07Z Nighthawk 1 Created page with " == add NAT rules == Step 1 - Add automatic or manual static NATs in the ruleset as normal. == configuring proxy ARP == Automatic arp is not compatible with firewalls using..." wikitext text/x-wiki == add NAT rules == Step 1 - Add automatic or manual static NATs in the ruleset as normal. == configuring proxy ARP == Automatic arp is not compatible with firewalls using VRRP for HA. This is because Automatic arp is meant for CPHA or standalone firewalls. It publishes unicast MACs, whereas VRRP operates with multicast MACs. Step 2 - Disable Automatic ARP in your policy (global properties, NAT) if it isn't already 2) Set up manual proxy ARPs for all your NAT IPs. Use the VRRP MAC for these. configure manual proxy ARPs on Gaia by adding an entry to the file '''/etc/fw/conf/local.arp''' where the entry format is nat_ip vrrp_mac firewall_unicast_interface_ip example entry 192.168.100.100 00:00:5e:00:01:0A 192.168.100.1 the proxy arp will take effect upon the next policy installation == Determining you firewall's VRRP MAC == [Expert@mygaiafw]# clish -c "show vrrp interfaces" | grep -m 1 VMAC VMAC Mode: VRRP VMAC: '''00:00:5e:00:01:0a''' so 00:00:5e:00:01:0a is the VRRP MAC or VMAC. It is determined by the formula... VMAC = 00:00:5e:00:01:XX, where XX = your VRRP VRID in HEX == verifying proxy arps == to make sure the firewall is publishing your newly added proxy arp, run... # '''fw ctl arp''' you should see the new entry in the output [[category:vrrp]] How to determine SIC Certificate expiration date 0 43 48 2013-04-12T15:43:38Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki How to determine SIC Certificate expiration date Solution ID: sk62873 Product: SecurePlatform Version: R70, R71, R75 OS: SecurePlatform, SecurePlatform 2.6, Windows Platform: All Last Modified: 11-Aug-2011 Did this solution solve your problem? [Click on the stars to rate] Solution If you want to determine the SIC Certificate Expiration date you can view your certificates by running the following command via the management server: [Expert@mgmt]# '''cpca_client lscert''' **NOTE: This command only works on R65 HFA50 and above. ======================================================= EXAMPLE OUTPUT: Operation succeeded. rc=0. 4 certs found. Subject = CN=mgmt,O=mgmt..bbqdkc Status = Valid Kind = SIC Serial = 37748 DP = 0 Not_Before: Sun Apr 3 09:50:11 2011 Not_After: Sat Apr 2 09:50:11 2016 Subject = CN=cp_mgmt,O=mgmt..bbqdkc Status = Valid Kind = SIC Serial = 42070 DP = 0 Not_Before: Sun Apr 3 09:50:06 2011 Not_After: Sat Apr 2 09:50:06 2016 Subject = CN=gw,O=mgmt..bbqdkc Status = Valid Kind = SIC Serial = 10659 DP = 0 Not_Before: Wed Apr 20 23:42:35 2011 Not_After: Tue Apr 19 23:42:35 2016 Subject = CN=gw,O=mgmt..bbqdkc Status = Revoked Kind = SIC Serial = 8013 DP = 0 Not_Before: Sun Apr 3 10:28:55 2011 Not_After: Sat Apr 2 10:28:55 2016 ======================================================= The output can be further filtered using the following optional switches together with the lscert option. [-stat Pending|Valid|Revoked|Expired|Renewed] and [-kind SIC|IKE|User|LDAP] A SIC Cert is valid for 5 years from creation(true in older check point versions?) [[category:check point solutions]] Howto mount an iso on linux 0 40 45 2013-03-29T15:03:58Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki mount -o loop iso_filename.iso /mnt/cdrom [[category:linux]] IPSO csh interactive while loop example 0 106 320 192 2013-12-09T18:59:40Z Nighthawk 1 wikitext text/x-wiki ip390[admin]# '''while ( 1 ) ; ps -auxwww | grep xpand ; sleep 1 ;''' while? '''end''' # '''while ( $i < 100 ) ; ping -c 1 -W 1 192.168.1.$i | grep time ; @ i++ ;''' while? '''end''' [[category:sysadmin]] 192 191 2013-07-19T18:18:00Z Nighthawk 1 moved [[IPSO while loop example]] to [[IPSO csh interactive while loop example]] wikitext text/x-wiki ip390[admin]# '''while ( 1 ) ; ps -auxwww | grep xpand ; sleep 1 ;''' while? '''end''' [[category:sysadmin]] 191 2013-07-19T18:17:34Z Nighthawk 1 Created page with " ip390[admin]# '''while ( 1 ) ; ps -auxwww | grep xpand ; sleep 1 ;''' while? '''end''' [[category:sysadmin]]" wikitext text/x-wiki ip390[admin]# '''while ( 1 ) ; ps -auxwww | grep xpand ; sleep 1 ;''' while? '''end''' [[category:sysadmin]] Ip130 0 44 49 2013-04-12T15:48:45Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki http://wiki.openwrt.org/toh/nokia/ip130 Installing a new hard disk into a Nokia IP130 http://augerking.blogspot.com/2005/10/installing-new-hard-disk-into-nokia.html Juniper junos olive reference 0 68 97 2013-05-17T15:32:14Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki initial prompt after olive / junos 8.5R4.3 installation root@% to enter cli root@% '''cli''' then you get a new prompt... root> to enter configuration mode: root> '''configure''' Entering configuration mode [edit] root# <<< ''new pound prompt'' set root user password root# '''set system login user joost authentication plain-text-password''' New password: Retype new password: [edit] root# '''set system login user joost class super-user''' [edit] set interface ip address root# '''set interfaces em0 unit 0 family inet address 192.168.0.200/24''' [edit] commit your changes and test the new interface that should be working now root# '''commit and-quit''' commit complete Exiting configuration mode root> '''ping 192.168.0.1''' PING 192.168.0.1 (192.168.0.1): 56 data bytes 64 bytes from 192.168.0.1: icmp_seq=0 ttl=64 time=8.197 ms 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=1.927 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.648 ms 64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.168 ms to enable ssh service for incoming management connections user@host# '''set system services ssh''' [edit] root# '''commit and-quit''' commit complete [[category:juniper]] MDS script to check CMA sync status via command line 0 7 8 2013-02-25T22:09:58Z Nighthawk 1 Created page with "here it am... and it is portable. works on R65 to R75. #!/bin/bash source /opt/CPshared/5.0/tmp/.CPprofile.sh MDS_HOSTNAME=`hostname` MDS_BASE_IP=`cpmiquerybin attr "mds..." wikitext text/x-wiki here it am... and it is portable. works on R65 to R75. #!/bin/bash source /opt/CPshared/5.0/tmp/.CPprofile.sh MDS_HOSTNAME=`hostname` MDS_BASE_IP=`cpmiquerybin attr "mdsdb" mdss "" -a __name__,ipaddr | grep -i $MDS_HOSTNAME | awk '{print $2}'` echo "mds hostname = $MDS_HOSTNAME" echo "mds base ip = $MDS_BASE_IP" MDS_CMA_LIST=( `cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__ | awk -F "_._._" '{printf $1 " " }'` ) MDS_CMA_LIST_LEN=${#MDS_CMA_LIST[@]} # get array length MDS_CMA_LIST_LEN=$(($MDS_CMA_LIST_LEN)) printf "%-35s%-35s%8s%1s%-8s%15s\n" CMA-1 CMA-2 Status / Status Sync_Status printf "%-35s%-35s%8s%1s%-8s%15s\n" ---------------------------------- ---------------------------------- -------- - -------- -------------- for a in `seq $MDS_CMA_LIST_LEN` do mdsenv ${MDS_CMA_LIST[$a-1]} # subtract 1 because array keys start @ zero LOCAL_CMA=( `cpmiquerybin attr "" network_objects "management='true'" -a __name__ | awk '{printf $1 " "}'` ) CMA_1_STATUS=`cpmistat -o schema -r mg ${LOCAL_CMA[0]} | grep mgActiveStatus | awk '{print $2}'` CMA_2_STATUS=`cpmistat -o schema -r mg ${LOCAL_CMA[1]} | grep mgActiveStatus | awk '{print $2}'` CMA_1_SYNC_STATUS=`cpmistat -o schema -r mg ${LOCAL_CMA[0]} | grep "mgSyncStatus" | grep -v "N/R" | awk '{print $2}'` CMA_2_SYNC_STATUS=`cpmistat -o schema -r mg ${LOCAL_CMA[1]} | grep "mgSyncStatus" | grep -v "N/R" | awk '{print $2}'` printf "%-35s%-35s%8s%1s%-8s%15s\n" ${LOCAL_CMA[0]} ${LOCAL_CMA[1]} $CMA_1_STATUS / $CMA_2_STATUS $CMA_1_SYNC_STATUS $CMA_2_SYNC_STATUS done [[category:scripts]] MLM logcheck script 0 38 43 2013-03-27T22:13:34Z Nighthawk 1 Created page with "This is a simple logcheck script to identify logs older that 20 days. The output can be piped to a script for compression. #!/bin/sh # source $CPDIR/tmp/.CPprofile.sh RE..." wikitext text/x-wiki This is a simple logcheck script to identify logs older that 20 days. The output can be piped to a script for compression. #!/bin/sh # source $CPDIR/tmp/.CPprofile.sh RETENTION=20 CPSUITE_DIR=`echo $MDS_TEMPLATE | awk -F "/" '{print $3}'` # mdsenv mcd customers for CLM in * do find $CLM/$CPSUITE_DIR/fw1/log/*.log -mtime +$RETENTION | grep -v fwui.log done [[category:logs]] Main Page 0 1 823 377 2018-08-13T12:45:19Z Nighthawk 1 /* Admin Quick Links */ wikitext text/x-wiki '''Welcome to cpwikinet!''' == create new user account == new users signup via [http://www.cpwiki.net/index.php?title=Special:UserLogin&type=signup Login / Signup] Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://en.wikipedia.org/wiki/Help:Wikitext_quick_reference Wiki markup] == Admin Quick Links == [http://www.cpwiki.net/index.php/cpmiquerybin cpmiquerybin] [http://www.cpwiki.net/index.php?title=MediaWiki:Sidebar&action=edit Sidebar] [http://www.cpwiki.net/index.php/r80_api_reference API Reference] == Uploading files? Click the link below. == * [http://www.cpwiki.net/index.php/Special:Upload Click here to upload a file] 45a8a77b9ffc684c1dc81ce12c4dd2d185f874c4 377 84 2014-03-15T20:45:52Z Nighthawk 1 /* Admin Quick Links */ wikitext text/x-wiki '''Welcome to cpwikinet!''' == create new user account == new users signup via [http://www.cpwiki.net/index.php?title=Special:UserLogin&type=signup Login / Signup] Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://en.wikipedia.org/wiki/Help:Wikitext_quick_reference Wiki markup] == Admin Quick Links == [http://www.cpwiki.net/index.php/cpmiquerybin cpmiquerybin] [http://www.cpwiki.net/index.php?title=MediaWiki:Sidebar&action=edit Sidebar] == Uploading files? Click the link below. == * [http://www.cpwiki.net/index.php/Special:Upload Click here to upload a file] 84 81 2013-04-28T01:13:53Z Nighthawk 1 wikitext text/x-wiki '''Welcome to cpwikinet!''' == create new user account == new users signup via [http://www.cpwiki.net/index.php?title=Special:UserLogin&type=signup Login / Signup] Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://en.wikipedia.org/wiki/Help:Wikitext_quick_reference Wiki markup] == Admin Quick Links == [http://www.cpwiki.net/index.php/Cpmiquerybin Cpmiquerybin] [http://www.cpwiki.net/index.php?title=MediaWiki:Sidebar&action=edit Sidebar] == Uploading files? Click the link below. == * [http://www.cpwiki.net/index.php/Special:Upload Click here to upload a file] 81 1 2013-04-26T17:46:55Z Nighthawk 1 wikitext text/x-wiki '''Welcome to cpwikinet!''' == create new user account == new users signup via [http://www.cpwiki.net/index.php?title=Special:UserLogin&type=signup Login / Signup] Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [https://en.wikipedia.org/wiki/Help:Wikitext_quick_reference Wiki markup] == Admin Quick Links == [http://www.cpwiki.net/index.php?title=MediaWiki:Sidebar&action=edit Sidebar] == Uploading files? Click the link below. == * [http://www.cpwiki.net/index.php/Special:Upload Click here to upload a file] 1 2013-02-25T21:50:21Z MediaWiki default 0 wikitext text/x-wiki '''MediaWiki has been successfully installed.''' Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] Management High Availability Synchronizaton failure 0 75 115 114 2013-05-21T07:09:13Z Nighthawk 1 /* Solution */ wikitext text/x-wiki == Problem description == * Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability * Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled. [[file: chkp_mgmt_ha_sync_error.png]] * The smart_center_backup parameter in the objects_5_0.C is false when it should be true [Expert@provider-1]# mdsenv cma-primary [Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup cma-primary true '''cma-secondary false''' * The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed. * Error messages from cpca.elg of the secondary cma: main: could not initiate the Certificate Authority. No Certificate Authority existing * The cpca process on the secondary CMA is down and fails to start. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 192.168.1.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | '''down''' | == Solution == * Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file. '''One the primary cma''' # stop cma # mdsenv cma-primary # rm $FWDIR/conf/mgha/* # start cma # Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability After the sync is successful, the cpca on the secondary cma should start on its own. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 192.168.1.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | '''up 21785''' | Problem solved. [[category:check point]] [[category:smartcenter]] 114 113 2013-05-21T07:08:44Z Nighthawk 1 /* Solution */ wikitext text/x-wiki == Problem description == * Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability * Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled. [[file: chkp_mgmt_ha_sync_error.png]] * The smart_center_backup parameter in the objects_5_0.C is false when it should be true [Expert@provider-1]# mdsenv cma-primary [Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup cma-primary true '''cma-secondary false''' * The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed. * Error messages from cpca.elg of the secondary cma: main: could not initiate the Certificate Authority. No Certificate Authority existing * The cpca process on the secondary CMA is down and fails to start. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 192.168.1.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | '''down''' | == Solution == * Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file. '''One the primary cma''' # stop cma # mdsenv cma-primary # rm $FWDIR/conf/mgha/* # start cma # Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability After the sync was successful, the cpca on the secondary cma should start on its own. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 192.168.1.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | '''up 21785''' | Problem solved. [[category:check point]] [[category:smartcenter]] 113 112 2013-05-21T07:08:10Z Nighthawk 1 /* Solution */ wikitext text/x-wiki == Problem description == * Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability * Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled. [[file: chkp_mgmt_ha_sync_error.png]] * The smart_center_backup parameter in the objects_5_0.C is false when it should be true [Expert@provider-1]# mdsenv cma-primary [Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup cma-primary true '''cma-secondary false''' * The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed. * Error messages from cpca.elg of the secondary cma: main: could not initiate the Certificate Authority. No Certificate Authority existing * The cpca process on the secondary CMA is down and fails to start. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 192.168.1.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | '''down''' | == Solution == * Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file. '''One the primary cma''' # stop cma # mdsenv cma-primary # rm $FWDIR/conf/mgha/* # start cma # Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability After the sync was successful, the cpca on the secondary cma should start on its own. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 192.168.1.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | '''up 21785''' | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 192.168.1.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | '''down''' | [[category:check point]] [[category:smartcenter]] 112 111 2013-05-21T07:06:47Z Nighthawk 1 /* Solution */ wikitext text/x-wiki == Problem description == * Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability * Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled. [[file: chkp_mgmt_ha_sync_error.png]] * The smart_center_backup parameter in the objects_5_0.C is false when it should be true [Expert@provider-1]# mdsenv cma-primary [Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup cma-primary true '''cma-secondary false''' * The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed. * Error messages from cpca.elg of the secondary cma: main: could not initiate the Certificate Authority. No Certificate Authority existing * The cpca process on the secondary CMA is down and fails to start. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 192.168.1.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | '''down''' | == Solution == * Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file. '''One the primary cma''' # stop cma # mdsenv cma-primary # rm $FWDIR/conf/mgha/* # start cma # Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability After the sync was successful, the cpca on the secondary cma should start on its own. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 192.168.1.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | '''up 21785''' | [[category:check point]] [[category:smartcenter]] 111 110 2013-05-21T07:05:55Z Nighthawk 1 /* Solution */ wikitext text/x-wiki == Problem description == * Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability * Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled. [[file: chkp_mgmt_ha_sync_error.png]] * The smart_center_backup parameter in the objects_5_0.C is false when it should be true [Expert@provider-1]# mdsenv cma-primary [Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup cma-primary true '''cma-secondary false''' * The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed. * Error messages from cpca.elg of the secondary cma: main: could not initiate the Certificate Authority. No Certificate Authority existing * The cpca process on the secondary CMA is down and fails to start. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 192.168.1.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | '''down''' | == Solution == * Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file. '''One the primary cma''' # stop cma # mdsenv cma-primary # rm $FWDIR/conf/mgha/* # start cma # Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability After the sync was successful, the cpca on the secondary cma should start on its own. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 192.168.1.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | '''up 21785''' | [[category:check point]] [[category:smartcenter]] 110 109 2013-05-21T07:04:20Z Nighthawk 1 /* Problem description */ wikitext text/x-wiki == Problem description == * Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability * Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled. [[file: chkp_mgmt_ha_sync_error.png]] * The smart_center_backup parameter in the objects_5_0.C is false when it should be true [Expert@provider-1]# mdsenv cma-primary [Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup cma-primary true '''cma-secondary false''' * The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed. * Error messages from cpca.elg of the secondary cma: main: could not initiate the Certificate Authority. No Certificate Authority existing * The cpca process on the secondary CMA is down and fails to start. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 192.168.1.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | '''down''' | == Solution == * Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file. '''One the primary cma''' # stop cma # mdsenv cma-primary # rm $FWDIR/conf/mgha/* # start cma # Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability After the sync was successful, the cpca on the secondary cma should start on its own. 109 108 2013-05-21T07:03:30Z Nighthawk 1 /* Solution */ wikitext text/x-wiki == Problem description == * Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability * Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled. [[file: chkp_mgmt_ha_sync_error.png]] * The smart_center_backup parameter in the objects_5_0.C is false when it should be true [Expert@provider-1]# mdsenv cma-primary [Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup cma-primary true '''cma-secondary false''' * The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed. * Error messages from cpca.elg of the secondary cma: main: could not initiate the Certificate Authority. No Certificate Authority existing * The cpca process on the secondary CMA is down and fails to start. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 171.178.7.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 171.155.44.74 | up 21716 | up 21715 | up 21705 | '''down''' | == Solution == * Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file. '''One the primary cma''' # stop cma # mdsenv cma-primary # rm $FWDIR/conf/mgha/* # start cma # Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability After the sync was successful, the cpca on the secondary cma should start on its own. 108 107 2013-05-21T07:02:29Z Nighthawk 1 /* Solution */ wikitext text/x-wiki == Problem description == * Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability * Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled. [[file: chkp_mgmt_ha_sync_error.png]] * The smart_center_backup parameter in the objects_5_0.C is false when it should be true [Expert@provider-1]# mdsenv cma-primary [Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup cma-primary true '''cma-secondary false''' * The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed. * Error messages from cpca.elg of the secondary cma: main: could not initiate the Certificate Authority. No Certificate Authority existing * The cpca process on the secondary CMA is down and fails to start. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 171.178.7.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 171.155.44.74 | up 21716 | up 21715 | up 21705 | '''down''' | == Solution == * Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file. [['''One the primary cma''']] # stop cma # mdsenv cma-primary # rm $FWDIR/conf/mgha/* # start cma # Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability After the sync was successful, the cpca on the secondary cma should start on its own. 107 106 2013-05-21T07:01:22Z Nighthawk 1 wikitext text/x-wiki == Problem description == * Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability * Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled. [[file: chkp_mgmt_ha_sync_error.png]] * The smart_center_backup parameter in the objects_5_0.C is false when it should be true [Expert@provider-1]# mdsenv cma-primary [Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup cma-primary true '''cma-secondary false''' * The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed. * Error messages from cpca.elg of the secondary cma: main: could not initiate the Certificate Authority. No Certificate Authority existing * The cpca process on the secondary CMA is down and fails to start. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 171.178.7.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 171.155.44.74 | up 21716 | up 21715 | up 21705 | '''down''' | == Solution == * Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file. One the primary cma... 1. stop cma 2. mdsenv cma-primary 3. rm $FWDIR/conf/mgha/* 4. start cma 5. Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability After the sync was successful, the cpca on the secondary cma should start on its own. 106 2013-05-21T07:00:51Z Nighthawk 1 Created page with " == Problem description == * Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability * Error message: "Failed to receiv..." wikitext text/x-wiki == Problem description == * Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability * Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled. [[file: chkp_mgmt_ha_sync_error.png]] * The smart_center_backup parameter in the objects_5_0.C is false when it should be true [Expert@provider-1]# mdsenv cma-primary [Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup cma-primary true cma-secondary false * The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed. * Error messages from cpca.elg of the secondary cma: main: could not initiate the Certificate Authority. No Certificate Authority existing * The cpca process on the secondary CMA is down and fails to start. [Expert@provider-1]# mdsstat | +-----+----------------+-----------------+------------+----------+----------+----------+ | Type| Name | IP address | FWM | FWD | CPD | CPCA | +-----+----------------+-----------------+------------+----------+----------+----------+ | MDS | - | 171.178.7.1 | up 3421 | up 3420 | up 3419 | up 3956 | +-----+----------------+-----------------+------------+----------+----------+----------+ | CMA | cma-primary | 171.155.44.74 | up 21716 | up 21715 | up 21705 | '''down''' | == Solution == * Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file. One the primary cma... 1. stop cma 2. mdsenv cma-primary 3. rm $FWDIR/conf/mgha/* 4. start cma 5. Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability After the sync was successful, the cpca on the secondary cma should start on its own. Maximum concurrent connection and firewall memory 0 151 420 2014-04-17T00:12:46Z Nighthawk 1 Created page with " Check Point firewall versions: All currently supported (R65-R77 as of this posting) <table border="1" cellspacing="4" cellpadding="4"> <tr> <td>Concurrent connection..." wikitext text/x-wiki Check Point firewall versions: All currently supported (R65-R77 as of this posting) <table border="1" cellspacing="4" cellpadding="4"> <tr> <td>Concurrent connections limit</td> <td>Hash size (bytes)</td> <td>Mem. Pool (MB)</td> <td>Max. Mem. Pool (MB)</td> </tr> <tr> <td style="text-align: center;">0-21000</td> <td style="text-align: center;">65536</td> <td style="text-align: center;">6-8</td> <td style="text-align: center;">24-33</td> </tr> <tr> <td style="text-align: center;">22000-43000</td> <td style="text-align: center;">131072</td> <td style="text-align: center;">8-17</td> <td style="text-align: center;">35-68</td> </tr> <tr> <td style="text-align: center;">44000-87000</td> <td style="text-align: center;">262144</td> <td style="text-align: center;">17-34</td> <td style="text-align: center;">70-139</td> </tr> <tr> <td style="text-align: center;">88000-174000</td> <td style="text-align: center;">524288</td> <td style="text-align: center;">35-69</td> <td style="text-align: center;">140-278</td> </tr> <tr> <td style="text-align: center;">175000-349000</td> <td style="text-align: center;">1048576</td> <td style="text-align: center;">70-139</td> <td style="text-align: center;">280-559</td> </tr> <tr> <td style="text-align: center;">350000-699000</td> <td style="text-align: center;">2097152</td> <td style="text-align: center;">140-279</td> <td style="text-align: center;">560-1119</td> </tr> <tr> <td style="text-align: center;">700000-1398000</td> <td style="text-align: center;">4194304</td> <td style="text-align: center;">280-559</td> <td style="text-align: center;">1121-2047</td> </tr> </table> As an example, for a maximum concurrent connections limit of 725000, an automatic calculation of connections hash table size and memory pool would result in the following: Connections hash table size: 4194304 Memory pool size: 290 MB Maximum memory pool size: 1161 MB Msdquerydb provider-1 command line query tool 0 45 50 2013-04-12T15:56:24Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki mdsquerydb Provider-1 Command-Line Database Query Tool Usage: mdsquerydb key_name [-f output_file_name] Currently running in MDS environment. Keys for MDS environment: ------------------------- GlobalNetworkObjects # Get name and type of all global network objects NetworkObjects # Get all customers' internal Check Point installed network objects Customers # Get names of all PV-1 Customers Administrators # Get names of all PV-1 Administrators MDSs # Get names and IPs of all MDSs CMAs # Get names of all CMAs GuiClients # Get names and IPs of all gui clients Keys for CMA environment: ------------------------- NetworkObjects # Get name and type of all network objects Gateways # Get names and IPs of all gateways get list of firewalls (check point objects no counting CMAs) mdsquerydb NetworkObjects|grep -v cma|awk -F _ '{print $1}'> firewalls.txt [[category:check point]] New IPSO package Installation guide 0 46 51 2013-04-12T15:58:30Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki Solution ID: sk40592 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk40592&js_peid=P-114a7bc3b09-10006&partition=General&product=IPSO, [[category:check point]] Nighthawk's check point / firewall command scratch pad 0 50 284 282 2013-10-24T04:26:08Z Nighthawk 1 /* misc crap */ wikitext text/x-wiki == model number == == equivalent of linux ip route get == iclid >sh route dest 192.168.1.1 == get IP appliance model number (ipso 6.x and above) == clish -c "show asset hardware" | grep Platform | awk '{print $2}' == mds crap == run on p-1 after upgrade w/name change mdsquerydb NetworkObjects |grep firewall-name search CLMs for last gzipped log for CLM in *; do ls -lt $CLM/CPsuite-R75.20/fw1/log/*.log.gz | grep -m 1 log.gz; done == misc crap == nokias in /etc/hosts on authric cat /etc/hosts | grep -v eth | awk '{print $2}' | grep '^k...' |more ping test 0 / 1 after waiting 2 seconds ping -q -c 1 -W 2 host | grep received | awk -F "," '{print $2}' | awk '{print $1}' get count of sync packets sent on a remote firewall via ssh ssh -q -l admin firewallhostname "fw ctl pstat | grep -A 1 \"Sync packets sent\" | grep total" | awk '{print $3}' | awk -F , '{print $1}' [[category:nokia]] 282 55 2013-10-10T00:59:05Z Nighthawk 1 /* misc crap */ wikitext text/x-wiki == model number == == equivalent of linux ip route get == iclid >sh route dest 192.168.1.1 == get IP appliance model number (ipso 6.x and above) == clish -c "show asset hardware" | grep Platform | awk '{print $2}' == mds crap == run on p-1 after upgrade w/name change mdsquerydb NetworkObjects |grep firewall-name search CLMs for last gzipped log for CLM in *; do ls -lt $CLM/CPsuite-R75.20/fw1/log/*.log.gz | grep -m 1 log.gz; done == misc crap == '''bootmgr upgrade cmds''' '''ipso 6.x''' upgrade_bootmgr /var/emhome/admin/nkipflash-6.2-GA029a02.bin '''ipso 4.1(needs device parameter)''' to check boot device number... ipsctl kern:bootmgr:bmdev upgrade_bootmgr /dev/wd1 /var/emhome/admin/nkipflash-6.2-GA029a02.bin nokias in /etc/hosts on authric cat /etc/hosts | grep -v eth | awk '{print $2}' | grep '^k...' |more ping test 0 / 1 after waiting 2 seconds ping -q -c 1 -W 2 host | grep received | awk -F "," '{print $2}' | awk '{print $1}' get count of sync packets sent on a remote firewall via ssh ssh -q -l admin firewallhostname "fw ctl pstat | grep -A 1 \"Sync packets sent\" | grep total" | awk '{print $3}' | awk -F , '{print $1}' [[category:nokia]] 55 2013-04-12T16:11:58Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == model number == == equivalent of linux ip route get == iclid >sh route dest 192.168.1.1 == get IP appliance model number (ipso 6.x and above) == clish -c "show asset hardware" | grep Platform | awk '{print $2}' == mds crap == run on p-1 after upgrade w/name change mdsquerydb NetworkObjects |grep firewall-name search CLMs for last gzipped log for CLM in *; do ls -lt $CLM/CPsuite-R75.20/fw1/log/*.log.gz | grep -m 1 log.gz; done == misc crap == '''bootmgr upgrade cmds''' '''ipso 4.1??''' upgrade_bootmgr /var/emhome/admin/nkipflash-6.2-GA029a02.bin '''ipso 6.x?? (needs device parameter)''' upgrade_bootmgr /dev/wd1 /var/emhome/admin/nkipflash-6.2-GA029a02.bin nokias in /etc/hosts on authric cat /etc/hosts | grep -v eth | awk '{print $2}' | grep '^k...' |more ping test 0 / 1 after waiting 2 seconds ping -q -c 1 -W 2 host | grep received | awk -F "," '{print $2}' | awk '{print $1}' get count of sync packets sent on a remote firewall via ssh ssh -q -l admin firewallhostname "fw ctl pstat | grep -A 1 \"Sync packets sent\" | grep total" | awk '{print $3}' | awk -F , '{print $1}' [[category:nokia]] Nighthawk's scratch pad 0 4 559 5 2015-08-25T16:11:15Z Nighthawk 1 wikitext text/x-wiki run custom cma_sync_check script with filter /usr/local/bin/cma_sync_stat |grep -E "Lagging|Advanced|Collision|(active)/(active)" format output of custom getpps script for firewall monitoring tail -f /var/tmp/getpps_*_out.csv | awk -F "," '{print $1 ", " $5,"pck/sec ,",$6,"new ierrs ,",$7,"drop rate ,","cpu core idle times:",$9 ",","fw conns=",$10}' [[category:nighthawk]] 5 2013-02-25T22:03:48Z Nighthawk 1 Created page with "run custom cma_sync_check script with filter /usr/local/bin/cma_sync_stat |grep -E "Lagging|Advanced|Collision|(active)/(active)" [[category:nighthawk]]" wikitext text/x-wiki run custom cma_sync_check script with filter /usr/local/bin/cma_sync_stat |grep -E "Lagging|Advanced|Collision|(active)/(active)" [[category:nighthawk]] Nokia / freebsb memory utilization calculation 0 91 145 2013-05-24T15:41:17Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == Formula == % utilization = used memory / total = total – available / total = hw.physmem – ((vm.stats.vm.v_inactive_count * hw.pagesize) + (vm.stats.vm.v_cache_count * hw.pagesize) + (vm.stats.vm.v_free_count * hw.pagesize)) / hw.physmem == commands to gather memory data == sysctl -a | grep vm.stats.vm.v_inactive_count sysctl -a | grep vm.stats.vm.v_cache_count sysctl -a | grep vm.stats.vm.v_free_count sysctl -a | grep hw.pagesize sysctl -a | grep hw.physmem == Links == http://www.cyberciti.biz/files/scripts/freebsd-memory.pl.txt [[category:nokia]] Nokia IPSO clish config example 0 29 611 451 2017-02-15T16:55:21Z Nighthawk 1 Nighthawk moved page [[Nokia clish config example]] to [[Nokia IPSO clish config example]] without leaving a redirect wikitext text/x-wiki clish -c "set interface eth1 active on" clish -c "set interface eth1 duplex full" clish -c "set interface eth1 speed 1000M" clish -c "add interface eth1c0 address 10.0.0.2/28" clish -c "set mcvr vrid 10 priority 95" clish -c "set mcvr vrid 10 priority-delta 10" clish -c "add mcvr vrid 10 backup-address 10.0.0.1" clish -c "set interface eth-s1p2 active on" clish -c "set interface eth-s1p2 duplex full" clish -c "set interface eth-s1p2 speed 1000M" clish -c "add interface eth-s1p2 vlanid 100" <<< this creates logical interface named eth-s1p2c1 clish -c "add interface eth-s1p2c1 address 192.168.1.2/27" clish -c "add interface eth-s1p2 vlanid 200" clish -c "add interface eth-s1p2c2 address 192.168.100.2/27" clish -c "add mcvr vrid 10 backup-address 192.168.1.1" clish -c "add mcvr vrid 10 backup-address 192.168.100.1" echo "adding routes" clish -c "set static-route default nexthop gateway address 10.0.0.1 priority 1 on" clish -c "set static-route 10.124.0.0/15 nexthop gateway address 10.0.0.1 on" clish -c "add arpproxy address 192.168.1.10 macaddress 00:00:5e:00:01:69" clish -c "set vrrp accept-connections on" clish -c "set vrrp monitor-firewall off" clish -c "set vrrp coldstart-delay 90" clish -c "save config" [[category:nokia]] 451 450 2014-05-11T03:58:23Z Nighthawk 1 wikitext text/x-wiki clish -c "set interface eth1 active on" clish -c "set interface eth1 duplex full" clish -c "set interface eth1 speed 1000M" clish -c "add interface eth1c0 address 10.0.0.2/28" clish -c "set mcvr vrid 10 priority 95" clish -c "set mcvr vrid 10 priority-delta 10" clish -c "add mcvr vrid 10 backup-address 10.0.0.1" clish -c "set interface eth-s1p2 active on" clish -c "set interface eth-s1p2 duplex full" clish -c "set interface eth-s1p2 speed 1000M" clish -c "add interface eth-s1p2 vlanid 100" <<< this creates logical interface named eth-s1p2c1 clish -c "add interface eth-s1p2c1 address 192.168.1.2/27" clish -c "add interface eth-s1p2 vlanid 200" clish -c "add interface eth-s1p2c2 address 192.168.100.2/27" clish -c "add mcvr vrid 10 backup-address 192.168.1.1" clish -c "add mcvr vrid 10 backup-address 192.168.100.1" echo "adding routes" clish -c "set static-route default nexthop gateway address 10.0.0.1 priority 1 on" clish -c "set static-route 10.124.0.0/15 nexthop gateway address 10.0.0.1 on" clish -c "add arpproxy address 192.168.1.10 macaddress 00:00:5e:00:01:69" clish -c "set vrrp accept-connections on" clish -c "set vrrp monitor-firewall off" clish -c "set vrrp coldstart-delay 90" clish -c "save config" [[category:nokia]] 450 449 2014-05-11T03:56:23Z Nighthawk 1 wikitext text/x-wiki clish -c "set interface eth1 active on" clish -c "set interface eth1 duplex full" clish -c "set interface eth1 speed 1000M" clish -c "add interface eth1c0 address 10.0.0.2/28" clish -c "set mcvr vrid 10 priority 95" clish -c "set mcvr vrid 10 priority-delta 10" clish -c "add mcvr vrid 10 backup-address 10.0.0.1" clish -c "set interface eth-s1p2 active on" clish -c "set interface eth-s1p2 duplex full" clish -c "set interface eth-s1p2 speed 1000M" clish -c "add interface eth-s1p2 vlanid 100" <<< this creates logical interface named eth-s1p2c1 clish -c "add interface eth-s1p2c1 address 192.168.1.2/27" clish -c "set mcvr vrid 10 priority 95" clish -c "set mcvr vrid 10 priority-delta 10" clish -c "add mcvr vrid 10 backup-address 192.168.1.1" echo "adding routes" clish -c "set static-route default nexthop gateway address 10.0.0.1 priority 1 on" clish -c "set static-route 10.124.0.0/15 nexthop gateway address 10.0.0.1 on" clish -c "add arpproxy address 192.168.1.10 macaddress 00:00:5e:00:01:69" clish -c "set vrrp accept-connections on" clish -c "set vrrp monitor-firewall off" clish -c "set vrrp coldstart-delay 90" clish -c "save config" [[category:nokia]] 449 448 2014-05-11T03:55:30Z Nighthawk 1 wikitext text/x-wiki clish -c "set interface eth1 active on" clish -c "set interface eth1 duplex full" clish -c "set interface eth1 speed 1000M" clish -c "add interface eth1c0 address 10.0.0.2/28" clish -c "set mcvr vrid 10 priority 95" clish -c "set mcvr vrid 10 priority-delta 10" clish -c "add mcvr vrid 10 backup-address 10.0.0.1" clish -c "set interface eth-s1p2 active on" clish -c "set interface eth-s1p2 duplex full" clish -c "set interface eth-s1p2 speed 1000M" clish -c "add interface eth-s1p2 vlanid 100" <<< this creates logical interface named eth-s1p2c1 clish -c "add interface eth-s1p2c1 address 192.168.1.2/27" clish -c "set mcvr vrid 10 priority 95" clish -c "set mcvr vrid 10 priority-delta 10" clish -c "add mcvr vrid 10 backup-address 192.168.1.1" echo "adding routes" clish -c "set static-route default nexthop gateway address 10.0.0.1 priority 1 on" clish -c "set static-route 10.124.0.0/15 nexthop gateway address 10.0.0.1 on" clish -c "add arpproxy address 192.168.1.10 macaddress 00:00:5e:00:01:69" clish -c "set vrrp accept-connections on" clish -c "set vrrp monitor-firewall off" clish -c "set vrrp coldstart-delay 90" clish -c "save config" [[category:nokia]] 448 319 2014-05-11T03:42:32Z Nighthawk 1 wikitext text/x-wiki clish -c "set interface eth-s1p1 active on" clish -c "set interface eth-s1p1 duplex full" clish -c "set interface eth-s1p1 speed 1000M" clish -c "add interface eth-s1p1c0 address 10.4.16.1/30" clish -c "set interface eth-s1p2 active on" clish -c "set interface eth-s1p2 duplex full" clish -c "set interface eth-s1p2 speed 1000M" clish -c "add interface eth-s1p2 vlanid 100" <<< this creates logical interface named eth-s1p2c1 clish -c "add interface eth-s1p2c1 address 192.168.1.1/27" clish -c "set mcvr vrid 10 priority 95" clish -c "set mcvr vrid 10 priority-delta 10" clish -c "add mcvr vrid 10 backup-address 192.168.1.1.75" clish -c "set interface eth1 active on" clish -c "set interface eth1 duplex full" clish -c "set interface eth1 speed 1000M" clish -c "set interface eth1c0 logical-name eth1c0" clish -c "add interface eth1c0 address 10.0.0.9/28" clish -c "set mcvr vrid 10 priority 95" clish -c "set mcvr vrid 10 priority-delta 10" clish -c "add mcvr vrid 10 backup-address 10.0.0.9" echo "adding routes" clish -c "set static-route default nexthop gateway address 10.0.0.1 priority 1 on" clish -c "set static-route 10.124.0.0/15 nexthop gateway address 10.0.0.1 on" clish -c "add arpproxy address 171.161.228.129 macaddress 00:00:5e:00:01:69" clish -c "set vrrp accept-connections on" clish -c "set vrrp monitor-firewall off" clish -c "set vrrp coldstart-delay 90" clish -c "save config" [[category:nokia]] 319 33 2013-12-03T19:21:00Z Nighthawk 1 wikitext text/x-wiki clish -c "set interface eth-s1p1 active on" clish -c "set interface eth-s1p1 duplex full" clish -c "set interface eth-s1p1 speed 1000M" clish -c "set interface eth-s1p1c0 logical-name eth-s1p1c0" clish -c "add interface eth-s1p1c0 address 10.4.16.1/30" clish -c "set interface eth-s1p2 active on" clish -c "set interface eth-s1p2 duplex full" clish -c "set interface eth-s1p2 speed 1000M" clish -c "set interface eth-s1p2c0 logical-name eth-s1p2c0" clish -c "add interface eth-s1p2c0 address 192.168.1.1/27" clish -c "set mcvr vrid 10 priority 95" clish -c "set mcvr vrid 10 priority-delta 10" clish -c "add mcvr vrid 10 backup-address 192.168.1.1.75" clish -c "set interface eth1 active on" clish -c "set interface eth1 duplex full" clish -c "set interface eth1 speed 1000M" clish -c "set interface eth1c0 logical-name eth1c0" clish -c "add interface eth1c0 address 10.0.0.9/28" clish -c "set mcvr vrid 10 priority 95" clish -c "set mcvr vrid 10 priority-delta 10" clish -c "add mcvr vrid 10 backup-address 10.0.0.9" echo "adding routes" clish -c "set static-route default nexthop gateway address 10.0.0.1 priority 1 on" clish -c "set static-route 10.124.0.0/15 nexthop gateway address 10.0.0.1 on" clish -c "add arpproxy address 171.161.228.129 macaddress 00:00:5e:00:01:69" clish -c "set vrrp accept-connections on" clish -c "set vrrp monitor-firewall off" clish -c "set vrrp coldstart-delay 90" clish -c "save config" [[category:nokia]] 33 2013-02-26T01:56:29Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki clish -c "set interface eth-s1p1 active on" clish -c "set interface eth-s1p1 duplex full" clish -c "set interface eth-s1p1 speed 1000M" clish -c "set interface eth-s1p1c0 logical-name eth-s1p1c0" clish -c "add interface eth-s1p1c0 address 10.4.16.1/30" clish -c "set interface eth-s1p2 active on" clish -c "set interface eth-s1p2 duplex full" clish -c "set interface eth-s1p2 speed 1000M" clish -c "set interface eth-s1p2c0 logical-name eth-s1p2c0" clish -c "add interface eth-s1p2c0 address 192.168.1.1/27" clish -c "set mcvr vrid 10 priority 95" clish -c "set mcvr vrid 10 priority-delta 10" clish -c "add mcvr vrid 10 backup-address 192.168.1.1.75" clish -c "set interface eth1 active on" clish -c "set interface eth1 duplex full" clish -c "set interface eth1 speed 1000M" clish -c "set interface eth1c0 logical-name eth1c0" clish -c "add interface eth1c0 address 10.0.0.9/28" clish -c "set mcvr vrid 10 priority 95" clish -c "set mcvr vrid 10 priority-delta 10" clish -c "add mcvr vrid 10 backup-address 10.0.0.9" echo "adding routes" clish -c "set static-route default nexthop gateway address 10.0.0.1 priority 1 on" clish -c "set static-route 10.124.0.0/15 nexthop gateway address 10.0.0.1 on" clish -c "set vrrp accept-connections on" clish -c "set vrrp monitor-firewall off" clish -c "set vrrp coldstart-delay 90" clish -c "save config" [[category:nokia]] Nokia boot failed due to raid mirror 0 69 547 542 2015-01-07T20:39:20Z Nighthawk 1 /* relabel volume metadata (ipso 6.x) */ wikitext text/x-wiki ==Problem== Nokia firewall fails to boot off a RAID pair of drives moved from another chassis. This is because the volume is deactivated when moved between systems. '''Errors:''' Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed ==Solution== === activate raid volume === BOOTMGR[1]> '''raid''' -------------------------------------------------------- IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 -------------------------------------------------------- Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''1''' ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''13''' Volume: [0-1 or RETURN to quit] 0 Volume 0 is being activated Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''1''' ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: '''degraded, enabled, resync in progress''' Volume Settings: write caching enabled, auto configure Volume draws from Hot Spare Pools: 0 Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''q''' -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''q''' Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. If the device O.S. is ipso 4.x, then you are done and it should be ready to boot. The raid will likely show degraded and resync in progress, but it is usable during the resync. If ipso 6.x, continue... === relabel volume metadata (ipso 6.x)=== '''check macbase data for mismatch''' A mismatch in the mirror metadata for the macbase will cause the mounting of the root file system to fail. This will be the case when trying to boot off a drive pair from another device. 1) Determine the name of the disk device. This varies by platform. BOOTMGR[2]> '''sysinfo''' CPU 0: 2793 MHz Intel(R) Xeon(TM) CPU 2.80GHz Memory: 2100350976 (2004M bytes) Disk Devices: IO port 0x1f0 adc0: unit 0 (ad0): <STI Flash 8.0.0> 1024MB (2001888 sectors), 1986 cyls, 16 heads, 63 S/T IO port 0x6088 adc2: unit 0 ('''ad4'''): <FUJITSU MHY2080BS> 80026MB (156301488 sectors), 16383 cyls, 16 heads, 63 S/T 2) Enter maintenance shell BOOTMGR[5]> '''sh''' This command should result in a new # prompt. 3) Check mac address in the raid label # '''gmirror dump da0s1''' Metadata on da0: magic: GEOM::MIRROR version: 4 name: gmroots1 mid: 2548360505 did: 1949224550 all: 1 genid: 0 syncid: 1 priority: 0 slice: 4096 balance: round-robin mediasize: 79857450496 sectorsize: 512 syncoffset: 0 mflags: NOAUTOSYNC dflags: NONE hcprovider: provsize: 79857451008 macbase: 0 a0 8e c1 97 10 MD5 hash: 7f666d5c5c279faa7fb7a1d42b43555d 4) Check hardware mac address # '''ipsctl -a hw:eeprom:mac_addr_base''' hw:eeprom:mac_addr_base = 0:a0:8e:be:aa:50 5) compare the mac_addr_base to the macbase above. if mis-matched, then relabel... '''relabel volume metadata''' # '''gmirror deactivate gmroots1 ad4s1''' (It’s OK if this command returns an error) # '''gmirror clear ad4s1''' # '''gmirror label –v –n –b round-robin gmroots1 ad4s1''' system should now boot! == links == taken from [http://dl3.checkpoint.com/paid/43/RAID.pdf?HashKey=1411187746_b3e9208e053682b1d5b208df8b23cf82&xtn=.pdf raid.doc] [[category:nokia]] 542 541 2014-10-02T07:23:59Z Nighthawk 1 /* relabel volume metadata (ipso 6.x) */ wikitext text/x-wiki ==Problem== Nokia firewall fails to boot off a RAID pair of drives moved from another chassis. This is because the volume is deactivated when moved between systems. '''Errors:''' Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed ==Solution== === activate raid volume === BOOTMGR[1]> '''raid''' -------------------------------------------------------- IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 -------------------------------------------------------- Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''1''' ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''13''' Volume: [0-1 or RETURN to quit] 0 Volume 0 is being activated Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''1''' ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: '''degraded, enabled, resync in progress''' Volume Settings: write caching enabled, auto configure Volume draws from Hot Spare Pools: 0 Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''q''' -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''q''' Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. If the device O.S. is ipso 4.x, then you are done and it should be ready to boot. The raid will likely show degraded and resync in progress, but it is usable during the resync. If ipso 6.x, continue... === relabel volume metadata (ipso 6.x)=== '''check macbase data for mismatch''' A mismatch in the mirror metadata for the macbase will cause the mounting of the root file system to fail. This will be the case when trying to boot off a drive pair from another device. Enter maintenance shell BOOTMGR[5]> '''sh''' Check mac address in the raid label # '''gmirror dump da0s1''' Metadata on da0: magic: GEOM::MIRROR version: 4 name: gmroots1 mid: 2548360505 did: 1949224550 all: 1 genid: 0 syncid: 1 priority: 0 slice: 4096 balance: round-robin mediasize: 79857450496 sectorsize: 512 syncoffset: 0 mflags: NOAUTOSYNC dflags: NONE hcprovider: provsize: 79857451008 macbase: 0 a0 8e c1 97 10 MD5 hash: 7f666d5c5c279faa7fb7a1d42b43555d Check hardware mac address # '''ipsctl -a hw:eeprom:mac_addr_base''' hw:eeprom:mac_addr_base = 0:a0:8e:be:aa:50 compare the mac_addr_base to the macbase above. if mis-matched, then relabel... '''relabel volume metadata''' # '''gmirror deactivate gmroots1 da0s1''' (It’s OK if this command returns an error) # '''gmirror clear da0s1''' # '''gmirror label –v –n –b round-robin gmroots1 da0s1''' system should now boot! == links == taken from [http://dl3.checkpoint.com/paid/43/RAID.pdf?HashKey=1411187746_b3e9208e053682b1d5b208df8b23cf82&xtn=.pdf raid.doc] [[category:nokia]] 541 540 2014-10-02T06:18:13Z Nighthawk 1 /* activate raid volume */ wikitext text/x-wiki ==Problem== Nokia firewall fails to boot off a RAID pair of drives moved from another chassis. This is because the volume is deactivated when moved between systems. '''Errors:''' Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed ==Solution== === activate raid volume === BOOTMGR[1]> '''raid''' -------------------------------------------------------- IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 -------------------------------------------------------- Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''1''' ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''13''' Volume: [0-1 or RETURN to quit] 0 Volume 0 is being activated Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''1''' ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: '''degraded, enabled, resync in progress''' Volume Settings: write caching enabled, auto configure Volume draws from Hot Spare Pools: 0 Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''q''' -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''q''' Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. If the device O.S. is ipso 4.x, then you are done and it should be ready to boot. The raid will likely show degraded and resync in progress, but it is usable during the resync. If ipso 6.x, continue... === relabel volume metadata (ipso 6.x)=== '''check macbase data for mismatch''' A mismatch in the mirror metadata for the macbase will cause the mounting of the root file system to fail. This will be the case when trying to boot off a drive pair from another device. # '''gmirror dump da0s1''' Metadata on da0: magic: GEOM::MIRROR version: 4 name: gmroots1 mid: 2548360505 did: 1949224550 all: 1 genid: 0 syncid: 1 priority: 0 slice: 4096 balance: round-robin mediasize: 79857450496 sectorsize: 512 syncoffset: 0 mflags: NOAUTOSYNC dflags: NONE hcprovider: provsize: 79857451008 macbase: 0 a0 8e c1 97 10 <<<<<<<<<<<<<<<< compare to macbase below, if mis-matched, then relabel... MD5 hash: 7f666d5c5c279faa7fb7a1d42b43555d # '''ipsctl -a hw:eeprom:mac_addr_base''' hw:eeprom:mac_addr_base = 0:a0:8e:be:aa:50 '''relabel volume metadata''' # '''gmirror deactivate gmroots1 da0s1''' (It’s OK if this command returns an error) # '''gmirror clear da0s1''' # '''gmirror label –v –n –b round-robin gmroots1 da0s1''' system should now boot! == links == taken from [http://dl3.checkpoint.com/paid/43/RAID.pdf?HashKey=1411187746_b3e9208e053682b1d5b208df8b23cf82&xtn=.pdf raid.doc] [[category:nokia]] 540 539 2014-10-02T06:13:27Z Nighthawk 1 /* relabel volume metadata (ipso 6.x) */ wikitext text/x-wiki ==Problem== Nokia firewall fails to boot off a RAID pair of drives moved from another chassis. This is because the volume is deactivated when moved between systems. '''Errors:''' Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed ==Solution== === activate raid volume === BOOTMGR[1]> '''raid''' -------------------------------------------------------- IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 -------------------------------------------------------- Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''1''' ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''13''' Volume: [0-1 or RETURN to quit] 0 Volume 0 is being activated Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''1''' ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: degraded, enabled, resync in progress Volume Settings: write caching enabled, auto configure Volume draws from Hot Spare Pools: 0 Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''q''' -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''q''' Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. If the device O.S. is ipso 4.x, then you are done and it should be ready to boot. If ipso 6.x, continue... === relabel volume metadata (ipso 6.x)=== '''check macbase data for mismatch''' A mismatch in the mirror metadata for the macbase will cause the mounting of the root file system to fail. This will be the case when trying to boot off a drive pair from another device. # '''gmirror dump da0s1''' Metadata on da0: magic: GEOM::MIRROR version: 4 name: gmroots1 mid: 2548360505 did: 1949224550 all: 1 genid: 0 syncid: 1 priority: 0 slice: 4096 balance: round-robin mediasize: 79857450496 sectorsize: 512 syncoffset: 0 mflags: NOAUTOSYNC dflags: NONE hcprovider: provsize: 79857451008 macbase: 0 a0 8e c1 97 10 <<<<<<<<<<<<<<<< compare to macbase below, if mis-matched, then relabel... MD5 hash: 7f666d5c5c279faa7fb7a1d42b43555d # '''ipsctl -a hw:eeprom:mac_addr_base''' hw:eeprom:mac_addr_base = 0:a0:8e:be:aa:50 '''relabel volume metadata''' # '''gmirror deactivate gmroots1 da0s1''' (It’s OK if this command returns an error) # '''gmirror clear da0s1''' # '''gmirror label –v –n –b round-robin gmroots1 da0s1''' system should now boot! == links == taken from [http://dl3.checkpoint.com/paid/43/RAID.pdf?HashKey=1411187746_b3e9208e053682b1d5b208df8b23cf82&xtn=.pdf raid.doc] [[category:nokia]] 539 538 2014-09-20T04:33:10Z Nighthawk 1 /* relabel volume metadata (ipso 6.x) */ wikitext text/x-wiki ==Problem== Nokia firewall fails to boot off a RAID pair of drives moved from another chassis. This is because the volume is deactivated when moved between systems. '''Errors:''' Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed ==Solution== === activate raid volume === BOOTMGR[1]> '''raid''' -------------------------------------------------------- IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 -------------------------------------------------------- Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''1''' ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''13''' Volume: [0-1 or RETURN to quit] 0 Volume 0 is being activated Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''1''' ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: degraded, enabled, resync in progress Volume Settings: write caching enabled, auto configure Volume draws from Hot Spare Pools: 0 Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''q''' -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''q''' Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. If the device O.S. is ipso 4.x, then you are done and it should be ready to boot. If ipso 6.x, continue... === relabel volume metadata (ipso 6.x)=== '''check macbase data for mismatch''' A mismatch in the mirror metadata for the macbase will cause the mounting of the root file system to fail. This will be the case when trying to boot off a drive pair from another device. # '''ipsctl -a hw:eeprom:mac_addr_base''' hw:eeprom:mac_addr_base = 0:a0:8e:be:aa:50 # '''gmirror list''' Geom name: gmroots1 State: COMPLETE Components: 1 Balance: round-robin Slice: 4096 Flags: NOAUTOSYNC GenID: 0 SyncID: 1 ID: 2548360505 Providers: 1. Name: mirror/gmroots1 Mediasize: 79857450496 (74G) Sectorsize: 512 Mode: r0w0e0 Consumers: 1. Name: da0s1 <<<<<<<<<<<<<<<<<<<<< root device Mediasize: 79857451008 (74G) Sectorsize: 512 Mode: r1w1e1 State: ACTIVE Priority: 0 Flags: NONE GenID: 0 SyncID: 1 ID: 1949224550 # '''gmirror dump da0s1''' Metadata on da0: magic: GEOM::MIRROR version: 4 name: gmroots1 mid: 2548360505 did: 1949224550 all: 1 genid: 0 syncid: 1 priority: 0 slice: 4096 balance: round-robin mediasize: 79857450496 sectorsize: 512 syncoffset: 0 mflags: NOAUTOSYNC dflags: NONE hcprovider: provsize: 79857451008 macbase: 0 a0 8e c1 97 10 <<<<<<<<<<<<<<<< compare to macbase above, if mis-matched, then relabel... MD5 hash: 7f666d5c5c279faa7fb7a1d42b43555d '''relabel volume metadata''' # '''gmirror deactivate gmroots1 da0s1''' (It’s OK if this command returns an error) # '''gmirror clear da0s1''' # '''gmirror label –v –n –b round-robin gmroots1 da0s1''' system should now boot! == links == taken from [http://dl3.checkpoint.com/paid/43/RAID.pdf?HashKey=1411187746_b3e9208e053682b1d5b208df8b23cf82&xtn=.pdf raid.doc] [[category:nokia]] 538 537 2014-09-20T04:30:24Z Nighthawk 1 /* Problem */ wikitext text/x-wiki ==Problem== Nokia firewall fails to boot off a RAID pair of drives moved from another chassis. This is because the volume is deactivated when moved between systems. '''Errors:''' Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed ==Solution== === activate raid volume === BOOTMGR[1]> '''raid''' -------------------------------------------------------- IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 -------------------------------------------------------- Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''1''' ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''13''' Volume: [0-1 or RETURN to quit] 0 Volume 0 is being activated Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''1''' ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: degraded, enabled, resync in progress Volume Settings: write caching enabled, auto configure Volume draws from Hot Spare Pools: 0 Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''q''' -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''q''' Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. If the device O.S. is ipso 4.x, then you are done and it should be ready to boot. If ipso 6.x, continue... === relabel volume metadata (ipso 6.x)=== '''check macbase data for mismatch''' A mismatch in the mirror metadata for the macbase will cause the mounting of the root file system to fail. This will be the case when trying to boot off a drive pair from another device. # '''ipsctl -a hw:eeprom:mac_addr_base''' hw:eeprom:mac_addr_base = 0:a0:8e:be:aa:50 # '''gmirror list''' Geom name: gmroots1 State: COMPLETE Components: 1 Balance: round-robin Slice: 4096 Flags: NOAUTOSYNC GenID: 0 SyncID: 1 ID: 2548360505 Providers: 1. Name: mirror/gmroots1 Mediasize: 79857450496 (74G) Sectorsize: 512 Mode: r0w0e0 Consumers: 1. Name: da0s1 <<<<<<<<<<<<<<<<<<<<< root device Mediasize: 79857451008 (74G) Sectorsize: 512 Mode: r1w1e1 State: ACTIVE Priority: 0 Flags: NONE GenID: 0 SyncID: 1 ID: 1949224550 # '''gmirror dump da0s1''' Metadata on da0: magic: GEOM::MIRROR version: 4 name: gmroots1 mid: 2548360505 did: 1949224550 all: 1 genid: 0 syncid: 1 priority: 0 slice: 4096 balance: round-robin mediasize: 79857450496 sectorsize: 512 syncoffset: 0 mflags: NOAUTOSYNC dflags: NONE hcprovider: provsize: 79857451008 macbase: 0 a0 8e c1 97 10 <<<<<<<<<<<<<<<< compare to macbase above, if mis-matched, then relabel... MD5 hash: 7f666d5c5c279faa7fb7a1d42b43555d '''relabel volume metadata''' # '''gmirror deactivate gmroots1 da0s1''' (It’s OK if this command returns an error) # '''gmirror clear da0s1''' # '''gmirror label –v –n –b round-robin gmroots1 da0s1''' [[category:nokia]] 537 536 2014-09-20T04:30:09Z Nighthawk 1 /* Problem */ wikitext text/x-wiki ==Problem== Nokia firewall fails to boot off a RAID pair of drives moved from another chassis. This is because the volume is deactivated when moved between systems. '''Errors:''' Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed ==Solution== === activate raid volume === BOOTMGR[1]> '''raid''' -------------------------------------------------------- IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 -------------------------------------------------------- Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''1''' ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''13''' Volume: [0-1 or RETURN to quit] 0 Volume 0 is being activated Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''1''' ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: degraded, enabled, resync in progress Volume Settings: write caching enabled, auto configure Volume draws from Hot Spare Pools: 0 Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''q''' -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''q''' Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. If the device O.S. is ipso 4.x, then you are done and it should be ready to boot. If ipso 6.x, continue... === relabel volume metadata (ipso 6.x)=== '''check macbase data for mismatch''' A mismatch in the mirror metadata for the macbase will cause the mounting of the root file system to fail. This will be the case when trying to boot off a drive pair from another device. # '''ipsctl -a hw:eeprom:mac_addr_base''' hw:eeprom:mac_addr_base = 0:a0:8e:be:aa:50 # '''gmirror list''' Geom name: gmroots1 State: COMPLETE Components: 1 Balance: round-robin Slice: 4096 Flags: NOAUTOSYNC GenID: 0 SyncID: 1 ID: 2548360505 Providers: 1. Name: mirror/gmroots1 Mediasize: 79857450496 (74G) Sectorsize: 512 Mode: r0w0e0 Consumers: 1. Name: da0s1 <<<<<<<<<<<<<<<<<<<<< root device Mediasize: 79857451008 (74G) Sectorsize: 512 Mode: r1w1e1 State: ACTIVE Priority: 0 Flags: NONE GenID: 0 SyncID: 1 ID: 1949224550 # '''gmirror dump da0s1''' Metadata on da0: magic: GEOM::MIRROR version: 4 name: gmroots1 mid: 2548360505 did: 1949224550 all: 1 genid: 0 syncid: 1 priority: 0 slice: 4096 balance: round-robin mediasize: 79857450496 sectorsize: 512 syncoffset: 0 mflags: NOAUTOSYNC dflags: NONE hcprovider: provsize: 79857451008 macbase: 0 a0 8e c1 97 10 <<<<<<<<<<<<<<<< compare to macbase above, if mis-matched, then relabel... MD5 hash: 7f666d5c5c279faa7fb7a1d42b43555d '''relabel volume metadata''' # '''gmirror deactivate gmroots1 da0s1''' (It’s OK if this command returns an error) # '''gmirror clear da0s1''' # '''gmirror label –v –n –b round-robin gmroots1 da0s1''' [[category:nokia]] 536 535 2014-09-20T04:29:38Z Nighthawk 1 /* relabel volume metadata (ipso 6.x) */ wikitext text/x-wiki ==Problem== Nokia firewall fails to boot off a RAID pair of drives moved from another chassis. This is because the volume is deactivated when moved between systems. '''Errors:''' Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed ==Solution== === activate raid volume === BOOTMGR[1]> '''raid''' -------------------------------------------------------- IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 -------------------------------------------------------- Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''1''' ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''13''' Volume: [0-1 or RETURN to quit] 0 Volume 0 is being activated Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''1''' ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: degraded, enabled, resync in progress Volume Settings: write caching enabled, auto configure Volume draws from Hot Spare Pools: 0 Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''q''' -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''q''' Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. If the device O.S. is ipso 4.x, then you are done and it should be ready to boot. If ipso 6.x, continue... === relabel volume metadata (ipso 6.x)=== '''check macbase data for mismatch''' A mismatch in the mirror metadata for the macbase will cause the mounting of the root file system to fail. This will be the case when trying to boot off a drive pair from another device. # '''ipsctl -a hw:eeprom:mac_addr_base''' hw:eeprom:mac_addr_base = 0:a0:8e:be:aa:50 # '''gmirror list''' Geom name: gmroots1 State: COMPLETE Components: 1 Balance: round-robin Slice: 4096 Flags: NOAUTOSYNC GenID: 0 SyncID: 1 ID: 2548360505 Providers: 1. Name: mirror/gmroots1 Mediasize: 79857450496 (74G) Sectorsize: 512 Mode: r0w0e0 Consumers: 1. Name: da0s1 <<<<<<<<<<<<<<<<<<<<< root device Mediasize: 79857451008 (74G) Sectorsize: 512 Mode: r1w1e1 State: ACTIVE Priority: 0 Flags: NONE GenID: 0 SyncID: 1 ID: 1949224550 # '''gmirror dump da0s1''' Metadata on da0: magic: GEOM::MIRROR version: 4 name: gmroots1 mid: 2548360505 did: 1949224550 all: 1 genid: 0 syncid: 1 priority: 0 slice: 4096 balance: round-robin mediasize: 79857450496 sectorsize: 512 syncoffset: 0 mflags: NOAUTOSYNC dflags: NONE hcprovider: provsize: 79857451008 macbase: 0 a0 8e c1 97 10 <<<<<<<<<<<<<<<< compare to macbase above, if mis-matched, then relabel... MD5 hash: 7f666d5c5c279faa7fb7a1d42b43555d '''relabel volume metadata''' # '''gmirror deactivate gmroots1 da0s1''' (It’s OK if this command returns an error) # '''gmirror clear da0s1''' # '''gmirror label –v –n –b round-robin gmroots1 da0s1''' [[category:nokia]] 535 534 2014-09-20T04:29:22Z Nighthawk 1 /* relabel volume metadata (ipso 6.x) */ wikitext text/x-wiki ==Problem== Nokia firewall fails to boot off a RAID pair of drives moved from another chassis. This is because the volume is deactivated when moved between systems. '''Errors:''' Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed ==Solution== === activate raid volume === BOOTMGR[1]> '''raid''' -------------------------------------------------------- IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 -------------------------------------------------------- Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''1''' ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''13''' Volume: [0-1 or RETURN to quit] 0 Volume 0 is being activated Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''1''' ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: degraded, enabled, resync in progress Volume Settings: write caching enabled, auto configure Volume draws from Hot Spare Pools: 0 Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''q''' -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''q''' Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. If the device O.S. is ipso 4.x, then you are done and it should be ready to boot. If ipso 6.x, continue... === relabel volume metadata (ipso 6.x)=== '''check macbase data for mismatch''' A mismatch in the mirror metadata for the macbase will cause the mounting of the root file system to fail. This will be the case when trying to boot off a drive pair from another device. # '''ipsctl -a hw:eeprom:mac_addr_base''' hw:eeprom:mac_addr_base = 0:a0:8e:be:aa:50 # '''gmirror list''' Geom name: gmroots1 State: COMPLETE Components: 1 Balance: round-robin Slice: 4096 Flags: NOAUTOSYNC GenID: 0 SyncID: 1 ID: 2548360505 Providers: 1. Name: mirror/gmroots1 Mediasize: 79857450496 (74G) Sectorsize: 512 Mode: r0w0e0 Consumers: 1. Name: da0s1 <<<<<<<<<<<<<<<<<<<<< root device Mediasize: 79857451008 (74G) Sectorsize: 512 Mode: r1w1e1 State: ACTIVE Priority: 0 Flags: NONE GenID: 0 SyncID: 1 ID: 1949224550 # gmirror dump da0s1 Metadata on da0: magic: GEOM::MIRROR version: 4 name: gmroots1 mid: 2548360505 did: 1949224550 all: 1 genid: 0 syncid: 1 priority: 0 slice: 4096 balance: round-robin mediasize: 79857450496 sectorsize: 512 syncoffset: 0 mflags: NOAUTOSYNC dflags: NONE hcprovider: provsize: 79857451008 macbase: 0 a0 8e c1 97 10 <<<<<<<<<<<<<<<< compare to macbase above, if mis-matched, then relabel... MD5 hash: 7f666d5c5c279faa7fb7a1d42b43555d '''relabel volume metadata''' # '''gmirror deactivate gmroots1 da0s1''' (It’s OK if this command returns an error) # '''gmirror clear da0s1''' # '''gmirror label –v –n –b round-robin gmroots1 da0s1''' [[category:nokia]] 534 533 2014-09-20T03:52:24Z Nighthawk 1 /* activate raid volume */ wikitext text/x-wiki ==Problem== Nokia firewall fails to boot off a RAID pair of drives moved from another chassis. This is because the volume is deactivated when moved between systems. '''Errors:''' Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed ==Solution== === activate raid volume === BOOTMGR[1]> '''raid''' -------------------------------------------------------- IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 -------------------------------------------------------- Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''1''' ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''13''' Volume: [0-1 or RETURN to quit] 0 Volume 0 is being activated Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''1''' ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: degraded, enabled, resync in progress Volume Settings: write caching enabled, auto configure Volume draws from Hot Spare Pools: 0 Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''q''' -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''q''' Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. If the device O.S. is ipso 4.x, then you are done and it should be ready to boot. If ipso 6.x, continue... === relabel volume metadata (ipso 6.x)=== '''check macbase data for mismatch''' 533 532 2014-09-20T03:04:28Z Nighthawk 1 /* activate raid volume */ wikitext text/x-wiki ==Problem== Nokia firewall fails to boot off a RAID pair of drives moved from another chassis. This is because the volume is deactivated when moved between systems. '''Errors:''' Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed ==Solution== === activate raid volume === BOOTMGR[1]> '''raid''' -------------------------------------------------------- IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 -------------------------------------------------------- Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''1''' ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''13''' Volume: [0-1 or RETURN to quit] 0 Volume 0 is being activated Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''1''' ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: degraded, enabled, resync in progress Volume Settings: write caching enabled, auto configure Volume draws from Hot Spare Pools: 0 Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''q''' -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''q''' Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. 532 98 2014-09-20T03:03:48Z Nighthawk 1 wikitext text/x-wiki ==Problem== Nokia firewall fails to boot off a RAID pair of drives moved from another chassis. This is because the volume is deactivated when moved between systems. '''Errors:''' Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed ==Solution== === activate raid volume === BOOTMGR[1]> '''raid''' -------------------------------------------------------- IPSO LSI Logic Configuration Utility version : Version 0.5, June 8, 2007 -------------------------------------------------------- Adapter Type ............. 3 (SAS Adapter) PCI Device ID ............ 0x0056 Hardware Revision ID ..... 0x0004 Devices in Volume ........ 0 FW Version ............... (01.18.00.00) decimal MPI Version of FW ........ MPI Version 1.5.13.0 -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''1''' ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''13''' Volume: [0-1 or RETURN to quit] 0 Volume 0 is being activated Changes made, doing a camcontrol rescan Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle ...... done ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''1''' ------------------ Show Volumes ------------------------ 1 volume is active, 2 physical disks are active Volume 0 is Bus 0 Target 0, Type IM (Integrated Mirroring) Volume State: degraded, enabled, resync in progress Volume Settings: write caching enabled, auto configure Volume draws from Hot Spare Pools: 0 Volume Size 76158 MB, Stripe Size 0 KB, 2 Members Primary is PhysDisk 0 (Bus 0 Target 4) Secondary is PhysDisk 1 (Bus 0 Target 1) ------------------- RAID MENU -------------------------- 1) Show volume(s) 2) Show physical disk(s) 3) Get Volume Status Options below available from boot manager ----------------------------------------- 10) Disable volume 11) Enable volume 12) Deactivate volume 13) Activate volume 30) Create RAID Volume 31) Delete RAID Volume q) Main Menu -------------------------------------------------------- Choose an option: '''q''' -------------------------------------------------------- 1) Raid Options Sub-Menu 2) Firmware operations q) EXIT -------------------------------------------------------- Choose an option: '''q''' Re-scan of bus 0 was successful Re-scan of bus 0 was successful Waiting 5 seconds for SCSI devices to settle .. Type 'boot <enter>' to continue boot process .. 98 2013-05-17T15:42:41Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki Problem: Errors: Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Error: /image on /dev/mirror/gmroots1f does not exist or is not a file umount: /mnt: not a file system root directory boot failed Solution: Nokia clish dhcp 0 48 53 2013-04-12T16:00:11Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == enbling dhcp on an interface == NokiaIP130:44>add dhcp client interface eth-s3p1c0 NokiaIP130:44>set dhcp client enable NokiaIP130:44>set interface eth-s3p1c0 enable == disabling dhcp on an interface== NokiaIP130:44> '''set dhcp client disable''' NokiaIP130:45> '''delete dhcp client interface eth-s1p1c0''' [[category:nokia]] Nokia config lock override 0 92 146 2013-05-24T15:41:42Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki >set config-lock on override [[category:nokia]] Nokia firewall admin password reset 0 70 99 2013-05-17T15:43:06Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki 1- Boot to single user mode BOOTMGR1> boot -s 2- Once the system gets to single user mode, you'll get the prompt: "Enter pathname of shell or RETURN for sh:" Just hit the RETURN key again to get a prompt. 3- At the unix shell prompt, just run the overpw tool to fix the password to a known state by typing: # /etc/overpw 4- Complete the boot, type CTRL-D to exit the single user shell. 5- Once the system finishes booting fully, you can log in to the admin account with your new password [[category:nokia]] Nokia firewall config backups 0 93 301 148 2013-11-05T04:47:33Z Nighthawk 1 /* parsing the backup files */ wikitext text/x-wiki == backing up the firewall config == clish -c "set backup manual filename backup_filename" clish -c "set backup manual on" The backup file will be in /var/backup == parsing the backup files == static routes cat /var/takebackup/config/db/initial |grep static [[category:nokia]] 148 2013-05-24T16:12:03Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == backing up the firewall config == clish -c "set backup manual filename backup_filename" clish -c "set backup manual on" The backup file will be in /var/backup == parsing the backup files == static routes cat var/takebackup/config/db/initial |grep static [[category:nokia]] Nokia firewall disk commands 0 71 100 2013-05-17T15:43:30Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki show disks show disk 0 [[category:nokia]] Nokia firewall hosts file editing 0 30 147 34 2013-05-24T15:43:10Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki You cannot directly edit the hosts file on nokia check point firewalls. adding a new host entry through clish: NokiaIP2450[admin]# clish NokiaIP2450:104> add host name firewall-2450 ipv4 192.168.1.1 NokiaIP2450:104> save config alter existing entry: NokiaIP2450:104> set host name firewall-2450 ipv4 192.168.1.1 delete existing line / entry: NokiaIP2450:104> delete host name firewall-2450 [[category:nokia]] 34 2013-02-27T18:08:17Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki You cannot directly edit the hosts file on nokia check point firewalls. adding a new host entry through clish: firewall-2450[admin]# clish NokiaIP2450:104> add host name dallab-2450 ipv4 192.168.1.1 NokiaIP2450:104> save config alter existing entry: NokiaIP2450:104> set host name dallab-2450 ipv4 192.168.1.1 delete existing line / entry: NokiaIP2450:104> delete host name dallab-2450 [[category:nokia]] Nokia flash to disk conversion 0 51 56 2013-04-12T16:17:45Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki '''How to convert IP390 or IP560 Security Platforms from Flash-Based to Disk-Based Appliances''' https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk41505 '''How to tell if your system is Disk-based, Hybrid, or Flash-only''' Solution ID: sk40435 Product: IP Appliances Version: IP1220, IP1260, IP560, IP390, All Platform: IP1220, IP1260, IP560, IP390 Last Modified: 14-Apr-2009 Did this solution solve your problem? [Click on the stars to rate] '''Solution''' There are two partitions /var and /opt are mounted differently based on the initial system configuration: • for Disk-based systems both the /var and /opt partitions are mounted on the hard disk (wd0) • for Hybrid systems (local Check Point logging on HDD) the /opt partition is mounted on v9fs and the /var partition is mounted on the optional hard disk (wd1) ( this assumes the customer has previously enabled the optional HDD for local logging -- see article 1350934) • for Flash-only systems the /var and /opt partitions are mounted on v9fs ( on-board memory file system) Please use the "df -k" CLI command to verify your configuration as shown in the examples below. These apply to IP390, IP560 and IP12XX. '''Disk-based installation verification information''' -------------------------------------------------------------- TOP[admin]# df -k Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/wd0f 598029 85871 464316 16% / /dev/wd0a 37556 32 34520 0% /config /dev/wd0d 30978766 287029 28213436 1% /var /dev/wd0e 5268700 268396 4578808 6% /opt procfs 4 4 0 100% /proc '''Hybrid Installation verification information''' -------------------------------------------------------- IP560[admin]# df -k Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/wd0f 266383 44080 200993 18% / v9fs 767388 50548 716840 7% /image/IPSO-4.1-BUILD013-03.27.2006-223017-1515/rfs /dev/wd0a 31775 161 29072 1% /config /dev/wd0h 664831 205476 406169 34% /preserve /dev/wd1d 37905549 23674 34849432 0% /var procfs 4 4 0 100% /proc mfs:92 7607 0 6998 0% /var/tmp2/upgrade v9fs 837452 120612 716840 14% /opt IP560[admin]# '''Flash-Only installation verification information''' -------------------------------------------------------------- IP560[admin]# df -k Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/wd0f 266383 44080 200993 18% / v9fs 755824 50548 705276 7% /image/IPSO-4.1-BUILD013-03.27.2006-223017-1515/rfs /dev/wd0a 31775 161 29072 1% /config /dev/wd0h 664831 205478 406167 34% /preserve procfs 4 4 0 100% /proc v9fs 716840 11564 705276 2% /var mfs:97 7607 0 6998 0% /var/tmp2/upgrade v9fs 825888 120612 705276 15% /opt IP560[admin]# Nokia hardware info 0 47 52 2013-04-12T15:59:09Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == general hardware info == ipsctl -a |grep eeprom determine if firewall has 10G cards and what type firewall[admin]# '''ipsctl -a |grep 10G''' hw:eeprom:ixgbe_1_1:product_id = Nokia 10G XMC hw:eeprom:ixgbe_1_2:product_id = Nokia 10G XMC [[category:nokia]] Parse objects and rules 0 23 27 2013-02-26T00:26:27Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == get object name for given UID == cat objects_5_0.C |grep -m 1 -B 2 2FD225F6-A25F-475C-934B-C0DC122A2FDC |grep -m 1 : | sed -e 's/://' | tr -d '(' | sed 's/^[ \t]*//' == get orig dst object UID from rulebases_5.0.fws == cat rulebases_5_0.fws | grep -A 3 "dst_adtr" | grep chkpf_uid | sed -e 's/("{//' | sed -e 's/}")//' | awk '{print $2}' [[category:check point]] Performance analysis for Security Gateway NGX R65 / R7x 0 8 9 2013-02-25T22:10:52Z Nighthawk 1 Created page with "Performance analysis for Security Gateway NGX R65 / R7x https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33781&js_p..." wikitext text/x-wiki Performance analysis for Security Gateway NGX R65 / R7x https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33781&js_peid=P-114a7bc3b09-10006&partition=General&product=Security [[category:performance]] Problem - fwm start failure on mds 0 52 57 2013-04-12T16:27:23Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == Problem description: == # mds fails to fuly start up # problem with guis connecting to CMA/CLM from MDG # mdsstat shows MDS fwm down after mdsstart == Troubleshooting steps == start fwm in debug mode (from mds environment) # mdsenv # fwm -d mds [Expert@r65_mdshost]# fwm -d mds [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] cpobj_get_plugin_conf_info: Could not open file (/opt/CPPIconnectra-R65/conf/plugin_groups.conf). [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_policy_create: version 5301. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_policy_add_name_to_group: finished successfully. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_policy_set_local_names: () names. finished successfully. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_policy_create: finished successfully. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_policy_read (/opt/CPshrd-R65/conf/sic_policy.conf): finished successfully. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_set_external_host_groups: 43 names. finished successfully. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_policy_add_name_to_group: finished successfully. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_policy_set_local_names: (local_sic_name) names. finished successfully. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_policy_add_name_to_group: finished successfully. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_policy_set_local_names: (171.186.108.253) names. finished successfully. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_policy_add_name_to_group: finished successfully. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_policy_set_local_names: ("CN=cp_mgmt_r65_mdshost,O=iproricNGX2..rsyqv9") names. finished successfully. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_apply_default_dn: ca_dn = [O=iproricNGX2..rsyqv9]. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_apply_default_dn: calling PM_policy_DN_conversion .. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] PM_apply_default_dn: finished successfully. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 12 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] Error opening file /opt/CPshrd-R65/database//authkeys.C:: No such file or directory [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 12 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 12 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 32 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 12 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 12 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 32 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 32 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 11 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 31 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 11 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 11 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 31 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] ckpSSLctx_New: prefs = 31 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] peers addresses are [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] 171.186.108.253 [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] sic_client_do_connect: using server local sic name. [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] is_command_no_need_for_license: it's ok to run this command, without special checking [ 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] is_msp_environment_set_correctly> YES [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] CPPRODIS_init_error_logging_ex: initialized error logging for product 'FW1' application 'MDS'. Log file is not set. [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] raise_file_limit: raising limit from 1024 to 1024 [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] FW Cleaner: Adding cleanup function FwmIsAliveMutex_Destroy() (0x80fb840, 0x1849) [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] Env Configuration: ( :type (opsec_info) ) [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] Could not find info for ...opsec_sic_name... [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] Could not find info for ...opsec_sslca_file... [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] Could not find info for ...opsec_shared_local_path... [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] Could not find info for ...opsec_sic_policy_file... [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] Could not find info for ...opsec_mt... [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] opsec_init: multithread safety is not initialized [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:37] FW Cleaner: Adding cleanup function FwmDestroyOpsecEnv() (0x824afb0, 0x0) [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:38] fwa_db_init_with_scope: called [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:38] do_links_getver: strncmp failed. Returning -2 [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:39] port found in reg 1024 [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:39] cplog_localtcpip: found port 1024 [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:39] Failed to connect to FWD (log connection). [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:39] resolver_gethostbyname: Performing gethostbyname for r65_mdshost [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:39] resolver_gethostbyname: Failed to resolve hostname 'r65_mdshost' fw_ipaddr: Unable to resolve ipaddr for r65_mdshost: Resource temporarily unavailable [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:39] FW Cleaner: calling cleanup function FwmIsAliveMutex_Destroy() (0x80fb840, 0x1849) [MDS 6217 2002609888]@r65_mdshost[20 Jul 15:41:39] FW Cleaner: calling cleanup function FwmDestroyOpsecEnv() (0x824afb0, 0x0) '''hosts file doesn't contain mds hostname''' # cat /etc/hosts 192.168.1.100 -n # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost == Solution == '''fix hosts file''' mdsstop -m; mdsstart -m [Expert@r65_mdshost]# mdsstat |grep MDS MDS | 192.168.1.100 | up 6474 | up 6473 | up 6472 | N/R | [[category:check point]] Problem nokia boot flash boot failed 0 94 150 2013-05-24T16:17:16Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki '''Problem description:''' Flash based Nokia firewall fails to boot up after an O.S. installation. Also, IPSO installation fails at the boot manager because no valid device is found to install to. '''Error messages:''' BOOTMGR[29]> boot /dev/wd0f on /mnt: Incorrect super block. Error: /image on /dev/wd0f does not exist or is not a file umount: /mnt: not currently mounted boot failed Solution: BOOTMGR[30]> sh # '''disklabel -r /dev/wd0s4 > /tmp/label''' super block size 0 # '''disklabel -R /dev/wd0s4 /tmp/label''' # exit [[category:nokia]] R77 upgrade via CLI 0 180 517 516 2014-07-16T09:35:28Z Nighthawk 1 wikitext text/x-wiki This terminal log is for upgrading an existing Gaia check point device to R77, R77.10, or presumably R77.20. The source device can be R75.4x or above. In this example the firewall was R76. commands run are in bold. chkpfw:0]# '''clish''' chkpfw> '''add upgrade R77.10 package /var/log/download/Check_Point_R77.10_T1551_upg_WEBUI_and_SmartUpdate.Gaia.tgz''' chkpfw> '''upgrade local R77.10''' Extracting... [03:58:36] Start loading default params Performing products initialization... Done Would you like to save a snapshot of the system before upgrade (yes/no)? '''yes''' [03:58:41] Start snapshot creation Creating snapshot... Snapshot created successfully [04:06:28] Start verification You are about to start upgrade to R77.10 Gaia. Are you sure you want to continue (yes/no)? '''yes''' Performing products verification... Pre-upgrade verification finished successfully. Check the file /tmp/pre_upgrade_out.txt for more details. Done [04:07:20] Start pre upgrade Performing products pre upgrade... Done [04:07:21] Start loading platform params [04:07:21] Start kernel upgrade [04:07:40] Start OS upgrade INIT: version 2.86 reloading INIT: version 2.86 reloading [04:08:44] Start database upgrade [04:08:44] Start products upgrade Importing CP wrapper... Done Performing products upgrade... Done [04:11:46] Start post upgrade Performing products post upgrade... Done Post upgrade finished successfully Upgrade finished Type OK to reboot the machine. '''ok''' [[category:upgrade]] 516 515 2014-07-16T09:35:02Z Nighthawk 1 wikitext text/x-wiki This guide is for upgrading an existing Gaia check point device to R77, R77.10, or presumably R77.20. The source device can be R75.4x or above. In this example the firewall was R76. commands run are in bold. chkpfw:0]# '''clish''' chkpfw> '''add upgrade R77.10 package /var/log/download/Check_Point_R77.10_T1551_upg_WEBUI_and_SmartUpdate.Gaia.tgz''' chkpfw> '''upgrade local R77.10''' Extracting... [03:58:36] Start loading default params Performing products initialization... Done Would you like to save a snapshot of the system before upgrade (yes/no)? '''yes''' [03:58:41] Start snapshot creation Creating snapshot... Snapshot created successfully [04:06:28] Start verification You are about to start upgrade to R77.10 Gaia. Are you sure you want to continue (yes/no)? '''yes''' Performing products verification... Pre-upgrade verification finished successfully. Check the file /tmp/pre_upgrade_out.txt for more details. Done [04:07:20] Start pre upgrade Performing products pre upgrade... Done [04:07:21] Start loading platform params [04:07:21] Start kernel upgrade [04:07:40] Start OS upgrade INIT: version 2.86 reloading INIT: version 2.86 reloading [04:08:44] Start database upgrade [04:08:44] Start products upgrade Importing CP wrapper... Done Performing products upgrade... Done [04:11:46] Start post upgrade Performing products post upgrade... Done Post upgrade finished successfully Upgrade finished Type OK to reboot the machine. '''ok''' [[category:upgrade]] 515 2014-07-16T09:32:59Z Nighthawk 1 Created page with "This guide is for upgrading an existing Gaia check point device to R77, R77.10, or presumably R77.20. The source device can be R75.4x or above. In this example the firewall ..." wikitext text/x-wiki This guide is for upgrading an existing Gaia check point device to R77, R77.10, or presumably R77.20. The source device can be R75.4x or above. In this example the firewall was R76. commands run are in bold. chkpfw:0]# '''clish''' chkpfw> '''add upgrade R77.10 package /var/log/download/Check_Point_R77.10_T1551_upg_WEBUI_and_SmartUpdate.Gaia.tgz''' chkpfw> '''upgrade local R77.10''' Extracting... [03:58:36] Start loading default params Performing products initialization... Done Would you like to save a snapshot of the system before upgrade (yes/no)? yes [03:58:41] Start snapshot creation Creating snapshot... Snapshot created successfully [04:06:28] Start verification You are about to start upgrade to R77.10 Gaia. Are you sure you want to continue (yes/no)? '''yes''' Performing products verification... Pre-upgrade verification finished successfully. Check the file /tmp/pre_upgrade_out.txt for more details. Done [04:07:20] Start pre upgrade Performing products pre upgrade... Done [04:07:21] Start loading platform params [04:07:21] Start kernel upgrade [04:07:40] Start OS upgrade INIT: version 2.86 reloading INIT: version 2.86 reloading [04:08:44] Start database upgrade [04:08:44] Start products upgrade Importing CP wrapper... Done Performing products upgrade... Done [04:11:46] Start post upgrade Performing products post upgrade... Done Post upgrade finished successfully Upgrade finished Type OK to reboot the machine. '''ok''' [[category:upgrade]] RHEL 6.5 install 0 207 666 665 2017-05-25T00:45:29Z Nighthawk 1 wikitext text/x-wiki ==installing prereqs== [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98760 Prerequisites for installing Security Management Server / Multi-Domain Security Management Server on Red Hat Enterprise Linux] ==using centos yum repo== replace /etc/yum.repos.d/rhel-source.repo contents with the following [[centos 6.5 repo]] vault access to older/deprecated centos repos - [http://vault.centos.org/6.5/os/x86_64/ vault.centos.org 64bit centos] run to import vault key # rpm --import http://vault.centos.org/6.5/os/x86_64/RPM-GPG-KEY-CentOS-6 ==installing check point== which package to install from the support site? the iso to download will usually say "install" and "open_server" for example... Check_Point_R77.30_T207_Install_and_Upgrade.SPLAT_Open_Server.iso ==troubleshooting== ===libz.so.1 error=== errors occur during configuration on install or when cpconfig is run '''error message:''' Do you want to add an administrator (y/n) [y] ? /opt/CPsuite-R77/fw1/bin/fwm: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory '''cause''' # yum list zlib Installed Packages zlib.x86_64 1.2.3-29.el6 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5 Available Packages zlib.i686 1.2.3-29.el6 CentOS6base '''solution''' install 32bit libz # yum install zlib.i686 ===bad ELF interpreter=== '''error message''' # ./UnixInstallScript: ./UnixInstallScript: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory '''solution''' install missing glibc # yum install glibc.i686 === libpam.so.0 === '''error:''' ./UnixInstallScript: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory '''solution:''' install 32-bit pam. you will likely need to update the 64-bit to match to avoid Multilib version errors. The following command will do this. # yum install pam.x86_64 pam.i686 ==links== [http://it.tuxie.eu/?p=404 RHEL 6.5 x64 with CentOS 6.5 repositories] [[category:rhel]] cb15c07970f4d4b5626c1adb941bdc64c09b7169 665 664 2017-05-25T00:31:32Z Nighthawk 1 /* libz.so.1 error */ wikitext text/x-wiki ==installing prereqs== [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98760 Prerequisites for installing Security Management Server / Multi-Domain Security Management Server on Red Hat Enterprise Linux] ==using centos yum repo== replace /etc/yum.repos.d/rhel-source.repo contents with the following [[centos 6.5 repo]] vault access to older/deprecated centos repos - [http://vault.centos.org/6.5/os/x86_64/ vault.centos.org 64bit centos] run to import vault key # rpm --import http://vault.centos.org/6.5/os/x86_64/RPM-GPG-KEY-CentOS-6 ==installing check point== which package to install from the support site? the iso to download will usually say "install" and "open_server" for example... Check_Point_R77.30_T207_Install_and_Upgrade.SPLAT_Open_Server.iso ==troubleshooting== ===libz.so.1 error=== errors occur during configuration on install or when cpconfig is run '''error message:''' Do you want to add an administrator (y/n) [y] ? /opt/CPsuite-R77/fw1/bin/fwm: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory '''cause''' # yum list zlib Installed Packages zlib.x86_64 1.2.3-29.el6 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5 Available Packages zlib.i686 1.2.3-29.el6 CentOS6base '''solution''' install 32bit libz # yum install zlib.i686 ==links== [http://it.tuxie.eu/?p=404 RHEL 6.5 x64 with CentOS 6.5 repositories] [[category:rhel]] d0e1541675e2761928c5906a952c69b825aba84e 664 663 2017-05-25T00:31:16Z Nighthawk 1 /* using centos yum repo */ wikitext text/x-wiki ==installing prereqs== [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98760 Prerequisites for installing Security Management Server / Multi-Domain Security Management Server on Red Hat Enterprise Linux] ==using centos yum repo== replace /etc/yum.repos.d/rhel-source.repo contents with the following [[centos 6.5 repo]] vault access to older/deprecated centos repos - [http://vault.centos.org/6.5/os/x86_64/ vault.centos.org 64bit centos] run to import vault key # rpm --import http://vault.centos.org/6.5/os/x86_64/RPM-GPG-KEY-CentOS-6 ==installing check point== which package to install from the support site? the iso to download will usually say "install" and "open_server" for example... Check_Point_R77.30_T207_Install_and_Upgrade.SPLAT_Open_Server.iso ==troubleshooting== ===libz.so.1 error=== errors occur during configuration on install or when cpconfig is run '''error message:''' Do you want to add an administrator (y/n) [y] ? /opt/CPsuite-R77/fw1/bin/fwm: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory '''cause''' # yum list zlib Installed Packages zlib.x86_64 1.2.3-29.el6 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5 Available Packages zlib.i686 1.2.3-29.el6 CentOS6base '''solution''' install 32bit libz # yum install zlib.i686 [[category:rhel]] 5ff5b3d8808d4c5688302cc37235b7f5bf6abe34 663 658 2017-05-25T00:30:57Z Nighthawk 1 /* using centos yum repo */ wikitext text/x-wiki ==installing prereqs== [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98760 Prerequisites for installing Security Management Server / Multi-Domain Security Management Server on Red Hat Enterprise Linux] ==using centos yum repo== replace /etc/yum.repos.d/rhel-source.repo contents with the following [[centos 6.5 repo]] [http://it.tuxie.eu/?p=404 RHEL 6.5 x64 with CentOS 6.5 repositories] vault access to older/deprecated centos repos - [http://vault.centos.org/6.5/os/x86_64/ vault.centos.org 64bit centos] run to import vault key # rpm --import http://vault.centos.org/6.5/os/x86_64/RPM-GPG-KEY-CentOS-6 ==installing check point== which package to install from the support site? the iso to download will usually say "install" and "open_server" for example... Check_Point_R77.30_T207_Install_and_Upgrade.SPLAT_Open_Server.iso ==troubleshooting== ===libz.so.1 error=== errors occur during configuration on install or when cpconfig is run '''error message:''' Do you want to add an administrator (y/n) [y] ? /opt/CPsuite-R77/fw1/bin/fwm: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory '''cause''' # yum list zlib Installed Packages zlib.x86_64 1.2.3-29.el6 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5 Available Packages zlib.i686 1.2.3-29.el6 CentOS6base '''solution''' install 32bit libz # yum install zlib.i686 [[category:rhel]] 2a6a26f075d38d5eb47c70919c119856562e7726 658 633 2017-05-24T22:25:40Z Nighthawk 1 /* using centos yum repo */ wikitext text/x-wiki ==installing prereqs== [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98760 Prerequisites for installing Security Management Server / Multi-Domain Security Management Server on Red Hat Enterprise Linux] ==using centos yum repo== [http://it.tuxie.eu/?p=404 RHEL 6.5 x64 with CentOS 6.5 repositories] vault access to older/deprecated centos repos - [http://vault.centos.org/6.5/os/x86_64/ vault.centos.org 64bit centos] run to import vault key # rpm --import http://vault.centos.org/6.5/os/x86_64/RPM-GPG-KEY-CentOS-6 ==installing check point== which package to install from the support site? the iso to download will usually say "install" and "open_server" for example... Check_Point_R77.30_T207_Install_and_Upgrade.SPLAT_Open_Server.iso ==troubleshooting== ===libz.so.1 error=== errors occur during configuration on install or when cpconfig is run '''error message:''' Do you want to add an administrator (y/n) [y] ? /opt/CPsuite-R77/fw1/bin/fwm: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory '''cause''' # yum list zlib Installed Packages zlib.x86_64 1.2.3-29.el6 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5 Available Packages zlib.i686 1.2.3-29.el6 CentOS6base '''solution''' install 32bit libz # yum install zlib.i686 [[category:rhel]] 27b92625dd39f25d1d87ef9f92f9e6d6ed09d80c 633 632 2017-04-29T16:43:24Z Nighthawk 1 wikitext text/x-wiki ==installing prereqs== [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98760 Prerequisites for installing Security Management Server / Multi-Domain Security Management Server on Red Hat Enterprise Linux] ==using centos yum repo== [http://it.tuxie.eu/?p=404 RHEL 6.5 x64 with CentOS 6.5 repositories] vault access to older/deprecated centos repos - [http://vault.centos.org/6.5/os/x86_64/ vault.centos.org 64bit centos] ==installing check point== which package to install from the support site? the iso to download will usually say "install" and "open_server" for example... Check_Point_R77.30_T207_Install_and_Upgrade.SPLAT_Open_Server.iso ==troubleshooting== ===libz.so.1 error=== errors occur during configuration on install or when cpconfig is run '''error message:''' Do you want to add an administrator (y/n) [y] ? /opt/CPsuite-R77/fw1/bin/fwm: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory '''cause''' # yum list zlib Installed Packages zlib.x86_64 1.2.3-29.el6 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5 Available Packages zlib.i686 1.2.3-29.el6 CentOS6base '''solution''' install 32bit libz # yum install zlib.i686 [[category:rhel]] d1bc3e4fd9d9b8e28ec50e16232e8a0d2b41d3b0 632 631 2017-04-29T16:27:00Z Nighthawk 1 wikitext text/x-wiki ==installing prereqs== [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98760 Prerequisites for installing Security Management Server / Multi-Domain Security Management Server on Red Hat Enterprise Linux] ==using centos yum repo== [http://it.tuxie.eu/?p=404 RHEL 6.5 x64 with CentOS 6.5 repositories] vault access to older/deprecated centos repos - [http://vault.centos.org/6.5/os/x86_64/ vault.centos.org 64bit centos] ==installing check point== which package to install from the support site? the iso to download will usually say "install" and "open_server" for example... Check_Point_R77.30_T207_Install_and_Upgrade.SPLAT_Open_Server.iso [[category:rhel]] eaf59a0b82a545726321e5304bb3ebc4a490e97d 631 2017-04-29T16:04:15Z Nighthawk 1 Created page with "==installing prereqs== ==using centos yum repo== ==installing check point== which package to install from the support site? the iso to download will usually say "install" ..." wikitext text/x-wiki ==installing prereqs== ==using centos yum repo== ==installing check point== which package to install from the support site? the iso to download will usually say "install" and "open_server" for example... Check_Point_R77.30_T207_Install_and_Upgrade.SPLAT_Open_Server.iso 058a02cd31501173863f0525a0313320259ac01b Renaming a check point firewall object 0 53 58 2013-04-12T16:29:32Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki 1) Reset SIC but DON'T re-initialize 2) firewall name will be editable when you OK out [[category:check point]] SIC General Failure and T get event: bad socket/type 0 139 359 2014-03-09T00:00:34Z Nighthawk 1 moved [[SIC General Failure and T get event: bad socket/type]] to [[SIC General Failure and "T get event: bad socket" erros]] wikitext text/x-wiki #REDIRECT [[SIC General Failure and "T get event: bad socket" erros]] SIC General Failure and T get event bad socket errors 0 138 364 363 2014-03-09T00:04:32Z Nighthawk 1 moved [[SIC General Failure and T get event: bad socket errors]] to [[SIC General Failure and T get event bad socket errors]] wikitext text/x-wiki SIC General Failure and "T_get_event: bad socket/type" errors == Problem Description == Unable to install firewall policies due to SIC error Platform: Nokia O.S.: ipso 6.2-GA039 fw version: NGX (R65) HFA_70 Testing SIC from withing the SmartDashboard... SIC Status for firewall-1: Not Communicating SIC General Failure [error no. 148] error 148 according to sk16200... "This error means a timeout has occurred during the SIC process" Errors in $CPDIR/log/cpd.elg T_get_event: bad socket/type: 1200/0 If you tail the above file while testing SIC, the errors pour in... tcpdump between management and the firewall show a good handshake and communication. == Root Cause == Suspected file descriptor or memory leak issue ==Solution== restart or stop and start cpd # '''cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"''' CPD stopped cpwd_admin: Process CPD (pid=953) stopped with command 'cpd_admin stop'. Exit code 0. # '''cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"''' cpwd_admin: Process CPD started successfully (pid=40018) [[category:sic]] [[category:cpd]] 363 362 2014-03-09T00:04:03Z Nighthawk 1 wikitext text/x-wiki SIC General Failure and "T_get_event: bad socket/type" errors == Problem Description == Unable to install firewall policies due to SIC error Platform: Nokia O.S.: ipso 6.2-GA039 fw version: NGX (R65) HFA_70 Testing SIC from withing the SmartDashboard... SIC Status for firewall-1: Not Communicating SIC General Failure [error no. 148] error 148 according to sk16200... "This error means a timeout has occurred during the SIC process" Errors in $CPDIR/log/cpd.elg T_get_event: bad socket/type: 1200/0 If you tail the above file while testing SIC, the errors pour in... tcpdump between management and the firewall show a good handshake and communication. == Root Cause == Suspected file descriptor or memory leak issue ==Solution== restart or stop and start cpd # '''cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"''' CPD stopped cpwd_admin: Process CPD (pid=953) stopped with command 'cpd_admin stop'. Exit code 0. # '''cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"''' cpwd_admin: Process CPD started successfully (pid=40018) [[category:sic]] [[category:cpd]] 362 360 2014-03-09T00:03:21Z Nighthawk 1 moved [[SIC General Failure and "T get event: bad socket" errors]] to [[SIC General Failure and T get event: bad socket errors]] wikitext text/x-wiki == Problem Description == Unable to install firewall policies due to SIC error Platform: Nokia O.S.: ipso 6.2-GA039 fw version: NGX (R65) HFA_70 Testing SIC from withing the SmartDashboard... SIC Status for firewall-1: Not Communicating SIC General Failure [error no. 148] error 148 according to sk16200... "This error means a timeout has occurred during the SIC process" Errors in $CPDIR/log/cpd.elg T_get_event: bad socket/type: 1200/0 If you tail the above file while testing SIC, the errors pour in... tcpdump between management and the firewall show a good handshake and communication. == Root Cause == Suspected file descriptor or memory leak issue ==Solution== restart or stop and start cpd # '''cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"''' CPD stopped cpwd_admin: Process CPD (pid=953) stopped with command 'cpd_admin stop'. Exit code 0. # '''cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"''' cpwd_admin: Process CPD started successfully (pid=40018) [[category:sic]] [[category:cpd]] 360 358 2014-03-09T00:00:50Z Nighthawk 1 moved [[SIC General Failure and "T get event: bad socket" erros]] to [[SIC General Failure and "T get event: bad socket" errors]] wikitext text/x-wiki == Problem Description == Unable to install firewall policies due to SIC error Platform: Nokia O.S.: ipso 6.2-GA039 fw version: NGX (R65) HFA_70 Testing SIC from withing the SmartDashboard... SIC Status for firewall-1: Not Communicating SIC General Failure [error no. 148] error 148 according to sk16200... "This error means a timeout has occurred during the SIC process" Errors in $CPDIR/log/cpd.elg T_get_event: bad socket/type: 1200/0 If you tail the above file while testing SIC, the errors pour in... tcpdump between management and the firewall show a good handshake and communication. == Root Cause == Suspected file descriptor or memory leak issue ==Solution== restart or stop and start cpd # '''cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"''' CPD stopped cpwd_admin: Process CPD (pid=953) stopped with command 'cpd_admin stop'. Exit code 0. # '''cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"''' cpwd_admin: Process CPD started successfully (pid=40018) [[category:sic]] [[category:cpd]] 358 357 2014-03-09T00:00:34Z Nighthawk 1 moved [[SIC General Failure and T get event: bad socket/type]] to [[SIC General Failure and "T get event: bad socket" erros]] wikitext text/x-wiki == Problem Description == Unable to install firewall policies due to SIC error Platform: Nokia O.S.: ipso 6.2-GA039 fw version: NGX (R65) HFA_70 Testing SIC from withing the SmartDashboard... SIC Status for firewall-1: Not Communicating SIC General Failure [error no. 148] error 148 according to sk16200... "This error means a timeout has occurred during the SIC process" Errors in $CPDIR/log/cpd.elg T_get_event: bad socket/type: 1200/0 If you tail the above file while testing SIC, the errors pour in... tcpdump between management and the firewall show a good handshake and communication. == Root Cause == Suspected file descriptor or memory leak issue ==Solution== restart or stop and start cpd # '''cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"''' CPD stopped cpwd_admin: Process CPD (pid=953) stopped with command 'cpd_admin stop'. Exit code 0. # '''cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"''' cpwd_admin: Process CPD started successfully (pid=40018) [[category:sic]] [[category:cpd]] 357 2014-03-08T23:48:53Z Nighthawk 1 Created page with " == Problem Description == Unable to install firewall policies due to SIC error Platform: Nokia O.S.: ipso 6.2-GA039 fw version: NGX (R65) HFA_70 Testing SIC from within..." wikitext text/x-wiki == Problem Description == Unable to install firewall policies due to SIC error Platform: Nokia O.S.: ipso 6.2-GA039 fw version: NGX (R65) HFA_70 Testing SIC from withing the SmartDashboard... SIC Status for firewall-1: Not Communicating SIC General Failure [error no. 148] error 148 according to sk16200... "This error means a timeout has occurred during the SIC process" Errors in $CPDIR/log/cpd.elg T_get_event: bad socket/type: 1200/0 If you tail the above file while testing SIC, the errors pour in... tcpdump between management and the firewall show a good handshake and communication. == Root Cause == Suspected file descriptor or memory leak issue ==Solution== restart or stop and start cpd # '''cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"''' CPD stopped cpwd_admin: Process CPD (pid=953) stopped with command 'cpd_admin stop'. Exit code 0. # '''cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"''' cpwd_admin: Process CPD started successfully (pid=40018) [[category:sic]] [[category:cpd]] SRX notes 0 67 914 863 2024-06-20T14:28:52Z Nighthawk 1 wikitext text/x-wiki junos SRX notes show interface IPs > show interfaces terse | match inet show rule / policy # show security policies from-zone trust to-zone untrust policy <policy_name> search address book for pre-defined objects # show security zones security-zone untrust address-book | match "192.168.1.1" monitoring traffic example monitor traffic matching "host 10.0.0.1" no-resolve interface reth0 show cluster status root@SRXfw> '''show chassis cluster status''' Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 0 node0 200 primary no no node1 100 secondary no no Redundancy group: 1 , Failover count: 3 node0 200 secondary no no node1 100 primary no no add proxy arp set security nat proxy-arp interface reth0 address 192.168.1.1 start unix shell > start shell user root example new rule (in progress) match > permit > insert ==VM download== [https://webdownload.juniper.net/swdl/dl/secure/site/1/record/117212.html?pf=vSRX%20EVAL https://webdownload.juniper.net/swdl/dl/secure/site/1/record/117212.html?pf=vSRX%20EVAL] [[category:juniper]] 9cb721fd8fa24b0393e3038885dbd7a7c209e331 863 846 2021-05-06T19:41:57Z Nighthawk 1 wikitext text/x-wiki junos SRX notes show rule / policy # show security policies from-zone trust to-zone untrust policy <policy_name> search address book for pre-defined objects # show security zones security-zone untrust address-book | match "192.168.1.1" monitoring traffic example monitor traffic matching "host 10.0.0.1" no-resolve interface reth0 show cluster status root@SRXfw> '''show chassis cluster status''' Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 0 node0 200 primary no no node1 100 secondary no no Redundancy group: 1 , Failover count: 3 node0 200 secondary no no node1 100 primary no no add proxy arp set security nat proxy-arp interface reth0 address 192.168.1.1 start unix shell > start shell user root example new rule (in progress) match > permit > insert ==VM download== [https://webdownload.juniper.net/swdl/dl/secure/site/1/record/117212.html?pf=vSRX%20EVAL https://webdownload.juniper.net/swdl/dl/secure/site/1/record/117212.html?pf=vSRX%20EVAL] [[category:juniper]] 78ddc3f1dac2adebb2c7f744ed2cb64eaaa2c816 846 845 2020-08-26T18:24:11Z Nighthawk 1 wikitext text/x-wiki junos SRX notes show rule / policy # show security policies from-zone trust to-zone untrust policy <policy_name> search address book for pre-defined objects # show security zones security-zone untrust address-book | match "192.168.1.1" monitoring traffic example monitor traffic matching "host 10.0.0.1" no-resolve interface reth0 show cluster status root@SRXfw> '''show chassis cluster status''' Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 0 node0 200 primary no no node1 100 secondary no no Redundancy group: 1 , Failover count: 3 node0 200 secondary no no node1 100 primary no no add proxy arp set security nat proxy-arp interface reth0 address 192.168.1.1 start unix shell > start shell user root example new rule (in progress) match > permit > insert [[category:juniper]] d16a1e2805d7b3ca85db2246edb4ff1bb02c9397 845 844 2020-08-19T23:29:38Z Nighthawk 1 wikitext text/x-wiki junos SRX notes show rule / policy # show security policies from-zone trust to-zone untrust policy <policy_name> search address book for pre-defined objects # show security zones security-zone untrust address-book | match "192.168.1.1" monitoring traffic example monitor traffic matching "host 10.0.0.1" no-resolve interface reth0 show cluster status root@SRXfw> '''show chassis cluster status''' Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 0 node0 200 primary no no node1 100 secondary no no Redundancy group: 1 , Failover count: 3 node0 200 secondary no no node1 100 primary no no add proxy arp set security nat proxy-arp interface reth0 address 192.168.1.1 start unix shell > start shell user root [[category:juniper]] 0b8fedcc2610e44cb3a1c279d5575d6a299ae213 844 356 2020-08-19T23:29:21Z Nighthawk 1 wikitext text/x-wiki junos SRX notes show rule / policy # show security policies from-zone trust to-zone untrust policy <policy_name> search address book for pre-defined objects # show security zones security-zone untrust address-book | match "192.168.1.1" monitoring traffic example monitor traffic matching "host 10.0.0.1" no-resolve interface reth0 show cluster status root@SRXfw> '''show chassis cluster status''' Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 0 node0 200 primary no no node1 100 secondary no no Redundancy group: 1 , Failover count: 3 node0 200 secondary no no node1 100 primary no no show security rules ...? add proxy arp set security nat proxy-arp interface reth0 address 192.168.1.1 start unix shell > start shell user root [[category:juniper]] 5dcae4f9e7e5882924024eee3d25d904565fbf1e 356 149 2014-03-08T22:38:15Z Nighthawk 1 wikitext text/x-wiki junos SRX notes monitoring traffic example monitor traffic matching "host 10.0.0.1" no-resolve interface reth0 show cluster status root@SRXfw> '''show chassis cluster status''' Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 0 node0 200 primary no no node1 100 secondary no no Redundancy group: 1 , Failover count: 3 node0 200 secondary no no node1 100 primary no no show security rules ...? add proxy arp set security nat proxy-arp interface reth0 address 192.168.1.1 start unix shell > start shell user root [[category:juniper]] 149 96 2013-05-24T16:13:11Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki junos SRX notes monitoring traffic example monitor traffic matching "host 10.0.0.1" no-resolve interface reth0 show cluster status root@SRXfw> '''show chassis cluster status''' Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 0 node0 200 primary no no node1 100 secondary no no Redundancy group: 1 , Failover count: 3 node0 200 secondary no no node1 100 primary no no show security rules ...? add proxy arp set security nat proxy-arp interface reth0 address 192.168.1.1 [[category:juniper]] 96 2013-05-17T15:31:08Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki junos SRX notes monitoring traffic example monitor traffic matching "host 76.185.116.115" no-resolve interface reth0 show cluster status root@SRXfw> '''show chassis cluster status''' Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 0 node0 200 primary no no node1 100 secondary no no Redundancy group: 1 , Failover count: 3 node0 200 secondary no no node1 100 primary no no show security rules ...? add proxy arp set security nat proxy-arp interface reth0 address 171.162.209.220 [[category:juniper]] Secondary CMA/CLM SIC expiration renewal procedure 0 14 104 103 2013-05-20T19:54:54Z Nighthawk 1 /* Solution */ wikitext text/x-wiki Reset SIC between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 Primary CMA other keyworkds: certificate expired, Solution ID: sk36359 Product: Multi-Domain Management / Provider-1 Version: All == Symptoms == 1) Smartdashboard SIC communication test from the CMA reports... "SIC Status for Inet-VPN-CLM2: Not Communicating Internal SSL authentication error [ Certificate expired]" 2) [Expert@mds]# cpca_client lscert -kind SIC|grep -A 2 CLM Subject = CN=Inet-VPN-CLM,O=cr-provider-vpn..xcoz95 Status = Expired Kind = SIC Serial = 73304 Not_Before: Fri Oct 27 14:12:28 2006 Not_After: Mon Jan 18 22:00:08 2038 3) No new logs received on the CLM == Cause == Expired SIC certificates between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 CMA == Solution == Here are the steps to set SIC between the Secondary CMA/CLM and the respective CMA '''On the Provider-1 MDS/MLM(the one containing the expired CMA/CLM) server :''' Log into Expert mode (for SecurePlatform). Run the 'mdsenv' command to change the current environment to that of the relevant Secondary CMA/CLM. # mdsenv cma_name Run the following command to re-initialize the SIC (pre-shared secret is 'abc123'): # cp_conf sic init abc123 Note: the CPD daemon for the relevant CMA/CLM is in a 'down' state at this point in time. '''On the MDS (Manager) Provider-1 Server''' mdsenv Restart the CLM mdscmd stopcma ''customer_name'' -i ''<secondary_cma/clm_ip>'' mdscmd startcma ''customer_name'' -i ''<secondary_cma/clm_ip>'' '''On the MLM''' Verify that the CPD process is up and running for the relevant Secondary CMA/CLM: # mdsstat '''In the SmartDashboard (logged into the CMA):''' Select 'Manage' - then 'Network Objects'. In the 'Network Objects' dialog box, select the relevant Secondary CMA/CLM network object from the network objects list. Click on 'Edit'. In the 'Check Point Host' dialog box, select the 'General Properties' branch from the left pane. In the 'General Properties' pane, in the 'Secure Internal Communication' section, click on 'Communication'. In the 'Communication' dialog box, click on 'Reset'. A dialog box with the following message will be displayed: Check Point SmartDashboard For the reset operation to be complete, you must also reset the module in the configuration tool. No communication will be possible until you reset and re-initialize the communication properly Are you sure you want to reset? Click on 'Yes'. A dialog box with the following message will be displayed: Check Point SmartDashboard Reset is done. Please re-install the Security Policy in order to update the CRL list. You must install the Security Policy to ALL Modules. Click on 'OK'. In the 'Communication' dialog box, in the 'Activation Key' field, enter pre-shared secret (i.e., 'abc123'). In the 'Communication' dialog box, in the 'Confirm Activation Key' field, re-enter the pre-shared secret (i.e., 'abc123'). Click on 'Initialize'. In the 'Communication' dialog box, click on 'Close'. '''Reinstall policies to all firewalls managed by the CMA to re-establish logging.''' [[category:check point]] 103 17 2013-05-20T19:53:50Z Nighthawk 1 /* Solution */ wikitext text/x-wiki Reset SIC between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 Primary CMA other keyworkds: certificate expired, Solution ID: sk36359 Product: Multi-Domain Management / Provider-1 Version: All == Symptoms == 1) Smartdashboard SIC communication test from the CMA reports... "SIC Status for Inet-VPN-CLM2: Not Communicating Internal SSL authentication error [ Certificate expired]" 2) [Expert@mds]# cpca_client lscert -kind SIC|grep -A 2 CLM Subject = CN=Inet-VPN-CLM,O=cr-provider-vpn..xcoz95 Status = Expired Kind = SIC Serial = 73304 Not_Before: Fri Oct 27 14:12:28 2006 Not_After: Mon Jan 18 22:00:08 2038 3) No new logs received on the CLM == Cause == Expired SIC certificates between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 CMA == Solution == Here are the steps to set SIC between the Secondary CMA/CLM and the respective CMA '''On the Provider-1 MDS/MLM(the one containing the expired CMA/CLM) server :''' Log into Expert mode (for SecurePlatform). Run the 'mdsenv' command to change the current environment to that of the relevant Secondary CMA/CLM. # mdsenv cma_name Run the following command to re-initialize the SIC (pre-shared secret is 'abc123'): # cp_conf sic init abc123 Note: the CPD daemon for the relevant CMA/CLM is in a 'down' state at this point in time. '''On the MDS (Manager) Provider-1 Server''' mdsenv Restart the CLM mdscmd stopcma ''customer_name'' -i ''<secondary_cma/clm_ip>'' mdscmd startcma ''customer_name'' -i ''<secondary_cma/clm_ip>'' '''On the MLM''' Verify that the CPD process is up and running for the relevant Secondary CMA/CLM: # mdsstat '''In the SmartDashboard (logged into the CMA):''' Select 'Manage' - then 'Network Objects'. In the 'Network Objects' dialog box, select the relevant Secondary CMA/CLM network object from the network objects list. Click on 'Edit'. In the 'Check Point Host' dialog box, select the 'General Properties' branch from the left pane. In the 'General Properties' pane, in the 'Secure Internal Communication' section, click on 'Communication'. In the 'Communication' dialog box, click on 'Reset'. A dialog box with the following message will be displayed: Check Point SmartDashboard For the reset operation to be complete, you must also reset the module in the configuration tool. No communication will be possible until you reset and re-initialize the communication properly. Are you sure you want to reset? Click on 'Yes'. A dialog box with the following message will be displayed: Check Point SmartDashboard Reset is done. Please re-install the Security Policy in order to update the CRL list. You must install the Security Policy to ALL Modules. Click on 'OK'. In the 'Communication' dialog box, in the 'Activation Key' field, enter pre-shared secret (i.e., 'abc123'). In the 'Communication' dialog box, in the 'Confirm Activation Key' field, re-enter the pre-shared secret (i.e., 'abc123'). Click on 'Initialize'. In the 'Communication' dialog box, click on 'Close'. '''Reinstall policies to all firewalls managed by the CMA to re-establish logging.''' [[category:check point]] 17 16 2013-02-25T22:51:19Z Nighthawk 1 moved [[Secondary CMA/CLM SIC expiration]] to [[Secondary CMA/CLM SIC expiration renewal procedure]] wikitext text/x-wiki Reset SIC between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 Primary CMA other keyworkds: certificate expired, Solution ID: sk36359 Product: Multi-Domain Management / Provider-1 Version: All == Symptoms == 1) Smartdashboard SIC communication test from the CMA reports... "SIC Status for Inet-VPN-CLM2: Not Communicating Internal SSL authentication error [ Certificate expired]" 2) [Expert@mds]# cpca_client lscert -kind SIC|grep -A 2 CLM Subject = CN=Inet-VPN-CLM,O=cr-provider-vpn..xcoz95 Status = Expired Kind = SIC Serial = 73304 Not_Before: Fri Oct 27 14:12:28 2006 Not_After: Mon Jan 18 22:00:08 2038 3) No new logs received on the CLM == Cause == Expired SIC certificates between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 CMA == Solution == Here are the steps to set SIC between the Secondary CMA/CLM and the respective CMA '''On the Provider-1 MDS/MLM(the one containing the expired CMA/CLM) server :''' Log into Expert mode (for SecurePlatform). Run the 'mdsenv' command to change the current environment to that of the relevant Secondary CMA/CLM. # mdsenv cma_name Run the following command to re-initialize the SIC (pre-shared secret is 'abc123'): # cp_conf sic init abc123 Note: the CPD daemon for the relevant CMA/CLM is in a 'down' state at this point in time. '''On the MDS (Manager) Provider-1 Server''' mdsenv Restart the CLM mdscmd stopcma ''customer_name'' -i ''<cma_ip>'' mdscmd startcma ''customer_name'' -i ''<clm_ip>'' '''On the MLM''' Verify that the CPD process is up and running for the relevant Secondary CMA/CLM: # mdsstat '''In the SmartDashboard (logged into the CMA):''' Select 'Manage' - then 'Network Objects'. In the 'Network Objects' dialog box, select the relevant Secondary CMA/CLM network object from the network objects list. Click on 'Edit'. In the 'Check Point Host' dialog box, select the 'General Properties' branch from the left pane. In the 'General Properties' pane, in the 'Secure Internal Communication' section, click on 'Communication'. In the 'Communication' dialog box, click on 'Reset'. A dialog box with the following message will be displayed: Check Point SmartDashboard For the reset operation to be complete, you must also reset the module in the configuration tool. No communication will be possible until you reset and re-initialize the communication properly. Are you sure you want to reset? Click on 'Yes'. A dialog box with the following message will be displayed: Check Point SmartDashboard Reset is done. Please re-install the Security Policy in order to update the CRL list. You must install the Security Policy to ALL Modules. Click on 'OK'. In the 'Communication' dialog box, in the 'Activation Key' field, enter pre-shared secret (i.e., 'abc123'). In the 'Communication' dialog box, in the 'Confirm Activation Key' field, re-enter the pre-shared secret (i.e., 'abc123'). Click on 'Initialize'. In the 'Communication' dialog box, click on 'Close'. '''Reinstall policies to all firewalls managed by the CMA to re-establish logging.''' [[category:check point]] 16 15 2013-02-25T22:49:59Z Nighthawk 1 wikitext text/x-wiki Reset SIC between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 Primary CMA other keyworkds: certificate expired, Solution ID: sk36359 Product: Multi-Domain Management / Provider-1 Version: All == Symptoms == 1) Smartdashboard SIC communication test from the CMA reports... "SIC Status for Inet-VPN-CLM2: Not Communicating Internal SSL authentication error [ Certificate expired]" 2) [Expert@mds]# cpca_client lscert -kind SIC|grep -A 2 CLM Subject = CN=Inet-VPN-CLM,O=cr-provider-vpn..xcoz95 Status = Expired Kind = SIC Serial = 73304 Not_Before: Fri Oct 27 14:12:28 2006 Not_After: Mon Jan 18 22:00:08 2038 3) No new logs received on the CLM == Cause == Expired SIC certificates between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 CMA == Solution == Here are the steps to set SIC between the Secondary CMA/CLM and the respective CMA '''On the Provider-1 MDS/MLM(the one containing the expired CMA/CLM) server :''' Log into Expert mode (for SecurePlatform). Run the 'mdsenv' command to change the current environment to that of the relevant Secondary CMA/CLM. # mdsenv cma_name Run the following command to re-initialize the SIC (pre-shared secret is 'abc123'): # cp_conf sic init abc123 Note: the CPD daemon for the relevant CMA/CLM is in a 'down' state at this point in time. '''On the MDS (Manager) Provider-1 Server''' mdsenv Restart the CLM mdscmd stopcma ''customer_name'' -i ''<cma_ip>'' mdscmd startcma ''customer_name'' -i ''<clm_ip>'' '''On the MLM''' Verify that the CPD process is up and running for the relevant Secondary CMA/CLM: # mdsstat '''In the SmartDashboard (logged into the CMA):''' Select 'Manage' - then 'Network Objects'. In the 'Network Objects' dialog box, select the relevant Secondary CMA/CLM network object from the network objects list. Click on 'Edit'. In the 'Check Point Host' dialog box, select the 'General Properties' branch from the left pane. In the 'General Properties' pane, in the 'Secure Internal Communication' section, click on 'Communication'. In the 'Communication' dialog box, click on 'Reset'. A dialog box with the following message will be displayed: Check Point SmartDashboard For the reset operation to be complete, you must also reset the module in the configuration tool. No communication will be possible until you reset and re-initialize the communication properly. Are you sure you want to reset? Click on 'Yes'. A dialog box with the following message will be displayed: Check Point SmartDashboard Reset is done. Please re-install the Security Policy in order to update the CRL list. You must install the Security Policy to ALL Modules. Click on 'OK'. In the 'Communication' dialog box, in the 'Activation Key' field, enter pre-shared secret (i.e., 'abc123'). In the 'Communication' dialog box, in the 'Confirm Activation Key' field, re-enter the pre-shared secret (i.e., 'abc123'). Click on 'Initialize'. In the 'Communication' dialog box, click on 'Close'. '''Reinstall policies to all firewalls managed by the CMA to re-establish logging.''' [[category:check point]] 15 2013-02-25T22:48:59Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki Reset SIC between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 Primary CMA Solution ID: sk36359 Product: Multi-Domain Management / Provider-1 Version: All == Symptoms == 1) Smartdashboard SIC communication test from the CMA reports... "SIC Status for Inet-VPN-CLM2: Not Communicating Internal SSL authentication error [ Certificate expired]" 2) [Expert@mds]# cpca_client lscert -kind SIC|grep -A 2 CLM Subject = CN=Inet-VPN-CLM,O=cr-provider-vpn..xcoz95 Status = Expired Kind = SIC Serial = 73304 Not_Before: Fri Oct 27 14:12:28 2006 Not_After: Mon Jan 18 22:00:08 2038 3) No new logs received on the CLM == Cause == Expired SIC certificates between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 CMA == Solution == Here are the steps to set SIC between the Secondary CMA/CLM and the respective CMA '''On the Provider-1 MDS/MLM(the one containing the expired CMA/CLM) server :''' Log into Expert mode (for SecurePlatform). Run the 'mdsenv' command to change the current environment to that of the relevant Secondary CMA/CLM. # mdsenv cma_name Run the following command to re-initialize the SIC (pre-shared secret is 'abc123'): # cp_conf sic init abc123 Note: the CPD daemon for the relevant CMA/CLM is in a 'down' state at this point in time. '''On the MDS (Manager) Provider-1 Server''' mdsenv Restart the CLM mdscmd stopcma ''customer_name'' -i ''<cma_ip>'' mdscmd startcma ''customer_name'' -i ''<clm_ip>'' '''On the MLM''' Verify that the CPD process is up and running for the relevant Secondary CMA/CLM: # mdsstat '''In the SmartDashboard (logged into the CMA):''' Select 'Manage' - then 'Network Objects'. In the 'Network Objects' dialog box, select the relevant Secondary CMA/CLM network object from the network objects list. Click on 'Edit'. In the 'Check Point Host' dialog box, select the 'General Properties' branch from the left pane. In the 'General Properties' pane, in the 'Secure Internal Communication' section, click on 'Communication'. In the 'Communication' dialog box, click on 'Reset'. A dialog box with the following message will be displayed: Check Point SmartDashboard For the reset operation to be complete, you must also reset the module in the configuration tool. No communication will be possible until you reset and re-initialize the communication properly. Are you sure you want to reset? Click on 'Yes'. A dialog box with the following message will be displayed: Check Point SmartDashboard Reset is done. Please re-install the Security Policy in order to update the CRL list. You must install the Security Policy to ALL Modules. Click on 'OK'. In the 'Communication' dialog box, in the 'Activation Key' field, enter pre-shared secret (i.e., 'abc123'). In the 'Communication' dialog box, in the 'Confirm Activation Key' field, re-enter the pre-shared secret (i.e., 'abc123'). Click on 'Initialize'. In the 'Communication' dialog box, click on 'Close'. '''Reinstall policies to all firewalls managed by the CMA to re-establish logging.''' [[category:check point]] SecureXL Mechanism 0 167 490 462 2014-06-06T17:16:55Z Nighthawk 1 wikitext text/x-wiki == SecureXL Mechanism == Solution ID: sk32578 Product: SecureXL Version: All Platform / Model: All Date Created: 15-Feb-2007 Last Modified: 26-Mar-2014 == Traffic acceleration: == When SecureXL is enabled, all traffic should be accelerated, except traffic that matches the following conditions: * The first packets of any new TCP session, unless a "template" exists. * The first packet of any new UDP session. * All traffic that matches a service that uses a Resource. * Certain traffic that matches a service that is inspected by a SmartDefense/IPS or Web Intelligence feature. For example, traffic on which SSH protections are activated is not accelerated. For more details, refer to sk42401 (Factors that adversely affect performance in SecureXL). * All traffic that is supposed to be dropped or rejected, according to the rule base. * All traffic that matches a rule, whose source or destination is the Security Gateway itself. * All traffic that matches a rule with a Security Server (e.g., Authenication, Anti-Virus, URL Filtering, Anti-Spam). * All traffic that matches a rule with User Authentication or Session Authentication. * Non-TCP/UDP/GRE/ESP traffic (including ICMP traffic). * CIFS traffic. * IPv6 traffic. * All multicast traffic. * All fragmented traffic. * All traffic with IP options. * Connections that will be matched for ISP Redundancy (inbound/outbound interface is one of the interfaces configured for ISP Redundancy). * TCP RST packets, when the "Spoofed Reset Protection" feature is activated. * When using ClusterXL in Load Sharing mode with 'Sticky Decision Function'. * Traffic that violates stateful inspection paradigm, or that is suspected to be spoofed. '''Connection establishment acceleration ("templates" mechanism):''' In order to enhance connection establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the Source Port. This type of "grouping" enables even the very first packets of a TCP handshake to be accelerated. This is very useful on short connections, in which the percentage of TCP handshake traffic is very high. The very first packets of the first connection on the same service will be forwarded to the Security Gateway's kernel, which will then create a "template" of the connection and notify the SecureXL device. Any subsequent TCP connections established on the same service (where only the source port is different) will already be accelerated (as well as any other traffic, of course). There are several conditions that will prevent a template from being created: * Connections that cannot be discriminated ONLY by the source port cannot be templated. * NATed traffic cannot be templated. * VPN traffic cannot be templated. * Complex connections (FTP, H323, SQL, etc.) cannot be templated. * Non-TCP/Non-UDP traffic (including ICMP traffic) cannot be templated. * The following rules will prevent a Connection Template from being created. * All subsequent rules below such rules will not be templated as well, regardless of the rule. It is advised that all rules that can be templated, be placed at the top of the rule base (unless of course, this will violate other optimization considerations): * Rule with service 'Any' (resolved in R75.40 and above) * Rule with a service that has a 'handler' (where a specific protocol is chosen in 'Protocol Type' field - instead of 'None' ; go to service object - right-click - Edit... - Advanced... - Protocol Type:). * Rules with the following objects: * Time object * Port range object (resolved in R75.40 and above) * Dynamic object * Domain object * Rules with "complex" services (i.e., services that have anything specified in the "Match" field, or "Enable reply from any port" of their "Advanced" section or Source Port is defined). * Rules with RPC/DCOM/DCE-RPC services. * Rules with Client Authentication or Session Authentication. * When SYN Attack (SYN Defender), or Small PMTU features are activated in SmartDefense/IPS. 462 461 2014-05-16T02:24:49Z Nighthawk 1 wikitext text/x-wiki == SecureXL Mechanism == Solution ID: sk32578 Product: SecureXL Version: All Platform / Model: All Date Created: 15-Feb-2007 Last Modified: 26-Mar-2014 == Traffic acceleration: == When SecureXL is enabled, all traffic should be accelerated, except traffic that matches the following conditions: * The first packets of any new TCP session, unless a "template" exists. * The first packet of any new UDP session. * All traffic that matches a service that uses a Resource. * Certain traffic that matches a service that is inspected by a SmartDefense/IPS or Web Intelligence feature. For example, traffic on which SSH protections are activated is not accelerated. For more details, refer to sk42401 (Factors that adversely affect performance in SecureXL). * All traffic that is supposed to be dropped or rejected, according to the rule base. * All traffic that matches a rule, whose source or destination is the Security Gateway itself. * All traffic that matches a rule with a Security Server (e.g., Authenication, Anti-Virus, URL Filtering, Anti-Spam). * All traffic that matches a rule with User Authentication or Session Authentication. * Non-TCP/UDP/GRE/ESP traffic (including ICMP traffic). * CIFS traffic. * IPv6 traffic. * All multicast traffic. * All fragmented traffic. * All traffic with IP options. * Connections that will be matched for ISP Redundancy (inbound/outbound interface is one of the interfaces configured for ISP Redundancy). * TCP RST packets, when the "Spoofed Reset Protection" feature is activated. * When using ClusterXL in Load Sharing mode with 'Sticky Decision Function'. * Traffic that violates stateful inspection paradigm, or that is suspected to be spoofed. '''Connection establishment acceleration ("templates" mechanism):''' In order to enhance connection establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the Source Port. This type of "grouping" enables even the very first packets of a TCP handshake to be accelerated. This is very useful on short connections, in which the percentage of TCP handshake traffic is very high. The very first packets of the first connection on the same service will be forwarded to the Security Gateway's kernel, which will then create a "template" of the connection and notify the SecureXL device. Any subsequent TCP connections established on the same service (where only the source port is different) will already be accelerated (as well as any other traffic, of course). There are several conditions that will prevent a template from being created: * Connections that cannot be discriminated ONLY by the source port cannot be templated. * NATed traffic cannot be templated. * VPN traffic cannot be templated. * Complex connections (FTP, H323, SQL, etc.) cannot be templated. * Non-TCP/Non-UDP traffic (including ICMP traffic) cannot be templated. * The following rules will prevent a Connection Template from being created. * All subsequent rules below such rules will not be templated as well, regardless of the rule. It is advised that all rules that can be templated, be placed at the top of the rule base (unless of course, this will violate other optimization considerations): * Rule with service 'Any' (resolved in R75.40 and above) * Rule with a service that has a 'handler' (where a specific protocol is chosen in 'Protocol Type' field - instead of 'None' ; go to service object - right-click - Edit... - Advanced... - Protocol Type:). * Rules with the following objects: * Time object * Port range object (resolved in R75.40 and above) * Dynamic object * Domain object * Rules with "complex" services (i.e., services that have anything specified in the "Match" field, or "Enable reply from any port" of their "Advanced" section or Source Port is defined). * Rules with RPC/DCOM/DCE-RPC services. * Rules with Client Authentication or Session Authentication. * When SYN Attack (SYN Defender), or Small PMTU features are activated in SmartDefense/IPS. 461 460 2014-05-16T02:24:38Z Nighthawk 1 wikitext text/x-wiki == SecureXL Mechanism == Solution ID: sk32578 Product: SecureXL Version: All Platform / Model: All Date Created: 15-Feb-2007 Last Modified: 26-Mar-2014 == Traffic acceleration: == When SecureXL is enabled, all traffic should be accelerated, except traffic that matches the following conditions: * The first packets of any new TCP session, unless a "template" exists. * The first packet of any new UDP session. * All traffic that matches a service that uses a Resource. * Certain traffic that matches a service that is inspected by a SmartDefense/IPS or Web Intelligence feature. For example, traffic on which SSH protections are activated is not accelerated. For more details, refer to sk42401 (Factors that adversely affect performance in SecureXL). * All traffic that is supposed to be dropped or rejected, according to the rule base. * All traffic that matches a rule, whose source or destination is the Security Gateway itself. * All traffic that matches a rule with a Security Server (e.g., Authenication, Anti-Virus, URL Filtering, Anti-Spam). * All traffic that matches a rule with User Authentication or Session Authentication. * Non-TCP/UDP/GRE/ESP traffic (including ICMP traffic). * CIFS traffic. * IPv6 traffic. * All multicast traffic. * All fragmented traffic. * All traffic with IP options. * Connections that will be matched for ISP Redundancy (inbound/outbound interface is one of the interfaces configured for ISP Redundancy). * TCP RST packets, when the "Spoofed Reset Protection" feature is activated. * When using ClusterXL in Load Sharing mode with 'Sticky Decision Function'. * Traffic that violates stateful inspection paradigm, or that is suspected to be spoofed. '''Connection establishment acceleration ("templates" mechanism):''' In order to enhance connection establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the Source Port. This type of "grouping" enables even the very first packets of a TCP handshake to be accelerated. This is very useful on short connections, in which the percentage of TCP handshake traffic is very high. The very first packets of the first connection on the same service will be forwarded to the Security Gateway's kernel, which will then create a "template" of the connection and notify the SecureXL device. Any subsequent TCP connections established on the same service (where only the source port is different) will already be accelerated (as well as any other traffic, of course). There are several conditions that will prevent a template from being created: * Connections that cannot be discriminated ONLY by the source port cannot be templated. * NATed traffic cannot be templated. * VPN traffic cannot be templated. * Complex connections (FTP, H323, SQL, etc.) cannot be templated. * Non-TCP/Non-UDP traffic (including ICMP traffic) cannot be templated. * The following rules will prevent a Connection Template from being created. * All subsequent rules below such rules will not be templated as well, regardless of the rule. It is advised that all rules that can be templated, be placed at the top of the rule base (unless of course, this will violate other optimization considerations): * Rule with service 'Any' (resolved in R75.40 and above) * Rule with a service that has a 'handler' (where a specific protocol is chosen in 'Protocol Type' field - instead of 'None' ; go to service object - right-click - Edit... - Advanced... - Protocol Type:). * Rules with the following objects: * Time object * Port range object (resolved in R75.40 and above) * Dynamic object * Domain object * Rules with "complex" services (i.e., services that have anything specified in the "Match" field, or "Enable reply from any port" of their "Advanced" section or Source Port is defined). * Rules with RPC/DCOM/DCE-RPC services. * Rules with Client Authentication or Session Authentication. * When SYN Attack (SYN Defender), or Small PMTU features are activated in SmartDefense/IPS. 460 459 2014-05-16T02:23:54Z Nighthawk 1 wikitext text/x-wiki == SecureXL Mechanism == Solution ID: sk32578 Product: SecureXL Version: All Platform / Model: All Date Created: 15-Feb-2007 Last Modified: 26-Mar-2014 Rate this document [1=Worst,5=Best] Solution == Traffic acceleration: == When SecureXL is enabled, all traffic should be accelerated, except traffic that matches the following conditions: * The first packets of any new TCP session, unless a "template" exists. * The first packet of any new UDP session. * All traffic that matches a service that uses a Resource. * Certain traffic that matches a service that is inspected by a SmartDefense/IPS or Web Intelligence feature. For example, traffic on which SSH protections are activated is not accelerated. For more details, refer to sk42401 (Factors that adversely affect performance in SecureXL). * All traffic that is supposed to be dropped or rejected, according to the rule base. * All traffic that matches a rule, whose source or destination is the Security Gateway itself. * All traffic that matches a rule with a Security Server (e.g., Authenication, Anti-Virus, URL Filtering, Anti-Spam). * All traffic that matches a rule with User Authentication or Session Authentication. * Non-TCP/UDP/GRE/ESP traffic (including ICMP traffic). * CIFS traffic. * IPv6 traffic. * All multicast traffic. * All fragmented traffic. * All traffic with IP options. * Connections that will be matched for ISP Redundancy (inbound/outbound interface is one of the interfaces configured for ISP Redundancy). * TCP RST packets, when the "Spoofed Reset Protection" feature is activated. * When using ClusterXL in Load Sharing mode with 'Sticky Decision Function'. * Traffic that violates stateful inspection paradigm, or that is suspected to be spoofed. '''Connection establishment acceleration ("templates" mechanism):''' In order to enhance connection establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the Source Port. This type of "grouping" enables even the very first packets of a TCP handshake to be accelerated. This is very useful on short connections, in which the percentage of TCP handshake traffic is very high. The very first packets of the first connection on the same service will be forwarded to the Security Gateway's kernel, which will then create a "template" of the connection and notify the SecureXL device. Any subsequent TCP connections established on the same service (where only the source port is different) will already be accelerated (as well as any other traffic, of course). There are several conditions that will prevent a template from being created: * Connections that cannot be discriminated ONLY by the source port cannot be templated. * NATed traffic cannot be templated. * VPN traffic cannot be templated. * Complex connections (FTP, H323, SQL, etc.) cannot be templated. * Non-TCP/Non-UDP traffic (including ICMP traffic) cannot be templated. * The following rules will prevent a Connection Template from being created. * All subsequent rules below such rules will not be templated as well, regardless of the rule. It is advised that all rules that can be templated, be placed at the top of the rule base (unless of course, this will violate other optimization considerations): * Rule with service 'Any' (resolved in R75.40 and above) * Rule with a service that has a 'handler' (where a specific protocol is chosen in 'Protocol Type' field - instead of 'None' ; go to service object - right-click - Edit... - Advanced... - Protocol Type:). * Rules with the following objects: * Time object * Port range object (resolved in R75.40 and above) * Dynamic object * Domain object * Rules with "complex" services (i.e., services that have anything specified in the "Match" field, or "Enable reply from any port" of their "Advanced" section or Source Port is defined). * Rules with RPC/DCOM/DCE-RPC services. * Rules with Client Authentication or Session Authentication. * When SYN Attack (SYN Defender), or Small PMTU features are activated in SmartDefense/IPS. 459 458 2014-05-16T02:19:21Z Nighthawk 1 /* Traffic acceleration: */ wikitext text/x-wiki == SecureXL Mechanism == Solution ID: sk32578 Product: SecureXL Version: All Platform / Model: All Date Created: 15-Feb-2007 Last Modified: 26-Mar-2014 Rate this document [1=Worst,5=Best] Solution == Traffic acceleration: == When SecureXL is enabled, all traffic should be accelerated, except traffic that matches the following conditions: * The first packets of any new TCP session, unless a "template" exists. * The first packet of any new UDP session. * All traffic that matches a service that uses a Resource. * Certain traffic that matches a service that is inspected by a SmartDefense/IPS or Web Intelligence feature. For example, traffic on which SSH protections are activated is not accelerated. For more details, refer to sk42401 (Factors that adversely affect performance in SecureXL). * All traffic that is supposed to be dropped or rejected, according to the rule base. * All traffic that matches a rule, whose source or destination is the Security Gateway itself. * All traffic that matches a rule with a Security Server (e.g., Authenication, Anti-Virus, URL Filtering, Anti-Spam). * All traffic that matches a rule with User Authentication or Session Authentication. * Non-TCP/UDP/GRE/ESP traffic (including ICMP traffic). * CIFS traffic. * IPv6 traffic. * All multicast traffic. * All fragmented traffic. * All traffic with IP options. * Connections that will be matched for ISP Redundancy (inbound/outbound interface is one of the interfaces configured for ISP Redundancy). * TCP RST packets, when the "Spoofed Reset Protection" feature is activated. * When using ClusterXL in Load Sharing mode with 'Sticky Decision Function'. * Traffic that violates stateful inspection paradigm, or that is suspected to be spoofed. '''Connection establishment acceleration ("templates" mechanism):''' In order to enhance connection establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the Source Port. This type of "grouping" enables even the very first packets of a TCP handshake to be accelerated. This is very useful on short connections, in which the percentage of TCP handshake traffic is very high. The very first packets of the first connection on the same service will be forwarded to the Security Gateway's kernel, which will then create a "template" of the connection and notify the SecureXL device. Any subsequent TCP connections established on the same service (where only the source port is different) will already be accelerated (as well as any other traffic, of course). There are several conditions that will prevent a template from being created: Connections that cannot be discriminated ONLY by the source port cannot be templated. NATed traffic cannot be templated. VPN traffic cannot be templated. Complex connections (FTP, H323, SQL, etc.) cannot be templated. Non-TCP/Non-UDP traffic (including ICMP traffic) cannot be templated. The following rules will prevent a Connection Template from being created. All subsequent rules below such rules will not be templated as well, regardless of the rule. It is advised that all rules that can be templated, be placed at the top of the rule base (unless of course, this will violate other optimization considerations): Rule with service 'Any' (resolved in R75.40 and above) Rule with a service that has a 'handler' (where a specific protocol is chosen in 'Protocol Type' field - instead of 'None' ; go to service object - right-click - Edit... - Advanced... - Protocol Type:). Rules with the following objects: Time object Port range object (resolved in R75.40 and above) Dynamic object Domain object Rules with "complex" services (i.e., services that have anything specified in the "Match" field, or "Enable reply from any port" of their "Advanced" section or Source Port is defined). Rules with RPC/DCOM/DCE-RPC services. Rules with Client Authentication or Session Authentication. When SYN Attack (SYN Defender), or Small PMTU features are activated in SmartDefense/IPS. 458 2014-05-16T02:17:50Z Nighthawk 1 Created page with " == SecureXL Mechanism == Solution ID: sk32578 Product: SecureXL Version: All Platform / Model: All Date Created: 15-Feb-2007 Last Modified: 26-Mar-2014 Rate t..." wikitext text/x-wiki == SecureXL Mechanism == Solution ID: sk32578 Product: SecureXL Version: All Platform / Model: All Date Created: 15-Feb-2007 Last Modified: 26-Mar-2014 Rate this document [1=Worst,5=Best] Solution == Traffic acceleration: == <nowiki> When SecureXL is enabled, all traffic should be accelerated, except traffic that matches the following conditions: The first packets of any new TCP session, unless a "template" exists. The first packet of any new UDP session. All traffic that matches a service that uses a Resource. Certain traffic that matches a service that is inspected by a SmartDefense/IPS or Web Intelligence feature. For example, traffic on which SSH protections are activated is not accelerated. For more details, refer to sk42401 (Factors that adversely affect performance in SecureXL). All traffic that is supposed to be dropped or rejected, according to the rule base. All traffic that matches a rule, whose source or destination is the Security Gateway itself. All traffic that matches a rule with a Security Server (e.g., Authenication, Anti-Virus, URL Filtering, Anti-Spam). All traffic that matches a rule with User Authentication or Session Authentication. Non-TCP/UDP/GRE/ESP traffic (including ICMP traffic). CIFS traffic. IPv6 traffic. All multicast traffic. All fragmented traffic. All traffic with IP options. Connections that will be matched for ISP Redundancy (inbound/outbound interface is one of the interfaces configured for ISP Redundancy). TCP RST packets, when the "Spoofed Reset Protection" feature is activated. When using ClusterXL in Load Sharing mode with 'Sticky Decision Function'. Traffic that violates stateful inspection paradigm, or that is suspected to be spoofed. </nowiki> '''Connection establishment acceleration ("templates" mechanism):''' In order to enhance connection establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the Source Port. This type of "grouping" enables even the very first packets of a TCP handshake to be accelerated. This is very useful on short connections, in which the percentage of TCP handshake traffic is very high. The very first packets of the first connection on the same service will be forwarded to the Security Gateway's kernel, which will then create a "template" of the connection and notify the SecureXL device. Any subsequent TCP connections established on the same service (where only the source port is different) will already be accelerated (as well as any other traffic, of course). There are several conditions that will prevent a template from being created: Connections that cannot be discriminated ONLY by the source port cannot be templated. NATed traffic cannot be templated. VPN traffic cannot be templated. Complex connections (FTP, H323, SQL, etc.) cannot be templated. Non-TCP/Non-UDP traffic (including ICMP traffic) cannot be templated. The following rules will prevent a Connection Template from being created. All subsequent rules below such rules will not be templated as well, regardless of the rule. It is advised that all rules that can be templated, be placed at the top of the rule base (unless of course, this will violate other optimization considerations): Rule with service 'Any' (resolved in R75.40 and above) Rule with a service that has a 'handler' (where a specific protocol is chosen in 'Protocol Type' field - instead of 'None' ; go to service object - right-click - Edit... - Advanced... - Protocol Type:). Rules with the following objects: Time object Port range object (resolved in R75.40 and above) Dynamic object Domain object Rules with "complex" services (i.e., services that have anything specified in the "Match" field, or "Enable reply from any port" of their "Advanced" section or Source Port is defined). Rules with RPC/DCOM/DCE-RPC services. Rules with Client Authentication or Session Authentication. When SYN Attack (SYN Defender), or Small PMTU features are activated in SmartDefense/IPS. Setting the fwd daemon cpu affinity 0 200 605 2016-10-25T01:36:24Z Nighthawk 1 Created page with "Performance Tuning Administration Guide R77 Allocating a Core for Heavy Logging If the gateway is performing heavy logging, it may be advisable to allocate a processing core ..." wikitext text/x-wiki Performance Tuning Administration Guide R77 Allocating a Core for Heavy Logging If the gateway is performing heavy logging, it may be advisable to allocate a processing core to the fwd daemon, which performs the logging. Like adding a core for the SND, this too will reduce the number of cores available for kernel instances. To allocate a processing core to the fwd daemon, you need to do two things: 1. Reduce the number of kernel instances using cpconfig 2. Set the fwd daemon affinity, as detailed below. Setting the fwd Daemon Affinity Check which processing cores are running the kernel instances and which cores are handling interface traffic using... fw ctl affinity -l -r Allocate the remaining core(with nothing assigned to it) to the fwd daemon by setting the fwd daemon affinity to that core create fwaffinity.conf in $FWDIR/conf and add a line as follows: n fwd <cpuid> where <cpuid> is the number of the processing core to be set as the affinity of the fwd daemon 7d04e7da3337ba65a30b99ebcb7c65da5a2b3b71 Splat add route cli 0 54 59 2013-04-12T16:34:50Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki adding routes to secureplatform via command line / cli Example: ip route add 2.1.1.0/24 via 194.29.42.179 make permanent to survive reboot route --save [[category:check point]] Splat password reset 0 57 62 2013-04-16T15:37:46Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == secure platform password reset / recovery procedure (tested) == 1. boot to system recovery CD or other linux live CD / usb 2. mount root partition mkdir /mnt/sda6 mount /dev/sda6 /mnt/sda6 3. change root chroot /mnt/sda6 /bin/bash 4. reset admin account password (assuming it is active) /usr/bin/passwd admin 5. reset expert password /bin/expert_password [[category:check point]] Splat scp 0 55 60 2013-04-12T16:35:10Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki add user account to /etc/scpusers change shell to bash for the user chsh -s /bin/bash <username> [[category:check point]] Ssh tunnel scratch 0 56 707 61 2018-01-24T16:25:04Z Nighthawk 1 wikitext text/x-wiki == reverse tunnel on a check point splat / secureplatform R75.40 device== the ssh client is older (openssh-3.6.1p2-33.30.39cp) and less functional. Doesn't support a remote bind address [Expert@chkpfw]# ssh --help ... -R listen-port:host:port Forward remote port to local address more descriptive translation of the line above -R remote_host_listen-port:localhost_ip:localhost_port Example command: ssh -f -N -R 10022:192.168.1.1:22 username@192.168.1.1 where remote_host = 192.168.1.1 compared to OpenSSH_6.1p1-hpn13v11, we can see the remote bind address option below in modern openssh implementation that is missing. man ssh ... -R '''[bind_address:]'''port:host:hostport [[category:ssh]] 7ed4f4fa7c9df7446c28f1a03ed3eb40e6d75ebf 61 2013-04-12T16:39:08Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == reverse tunnel on a check point splat / secureplatform R75.40 device== the ssh client is older (openssh-3.6.1p2-33.30.39cp) and less functional. Doesn't support a remote bind address [Expert@chkpfw]# ssh --help ... -R listen-port:host:port Forward remote port to local address Example command: ssh -f -N -R 10022:192.168.1.1:22 username@192.168.1.1 compared to OpenSSH_6.1p1-hpn13v11, we can see the remote bind address option below in modern openssh implementation that is missing. man ssh ... -R '''[bind_address:]'''port:host:hostport [[category:ssh]] Static NAT for outgoing connections through gateway with ISP Redundancy 0 228 716 2018-02-11T17:55:11Z Nighthawk 1 Created page with "[https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25152&partition=Advanced&product=Security sk25152]" wikitext text/x-wiki [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25152&partition=Advanced&product=Security sk25152] 70f908700481e102b8b8a694833510e7f4e04c68 Useful firewall one liners 0 97 162 2013-07-10T16:00:08Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == state sync sent/rec packets check == fw ctl pstat | grep -A 1 "Sync p" | awk '{print $1,$2,$3}' fw ctl pstat | grep -A 1 "Sync packets sent" | grep total | awk '{print $3}' | awk -F , '{print $1}' fw ctl pstat | grep -A 1 "Sync packets received" | grep total | awk '{print $3}' | awk -F , '{print $1}' == VRRP == get VRIDs clish -c "show vrrp interfaces" | grep VRID | tr -d '\n' ; echo "" == nokia validation == '''Interfaces''' ssh -l username desthostname "/bin/ifconfig -a | grep broadcast | grep -v vrrpmac" | awk '{ i = NF-2; print $i }' '''Routes on ipso 6.x (remote command from jumpbox)''' ssh -l username firewall_name "netstat -rn | grep user | sort -n" | awk '{print $1, $4,$8}' '''Route on ipso 4.x''' ssh -l username firewall_name "netstat -rn | grep iCSU | sort -n" | awk '{print $1, $2,$6}' '''routes ''' cat /config/active | grep "default:gateway:address" '''grab active interfaces only''' clish -c "show interfaces" | grep -B 1 On | grep Interface|awk '{print $3}' grab active interfaces and produce clish commands for '''logical interface''' stats clish -c "show interfaces" | grep -B 1 On | grep Interface | grep -v loop | grep -v Tunnel | awk '{print "clish -c \"show interface "$3, "statistics\" |grep -C 1 Bytes;"}' grab active interfaces and produce clish commands for '''physical interface''' stats unfiltered clish -c "show interfaces" | grep -B 1 Up | grep Interface | grep -v loop | grep -v Tunnel | awk '{print "clish -c \"show interface "$3, "statistics\" ;"}' error check clish -c "show interfaces" | grep -B 1 Up | grep Interface | grep -v loop | grep -v Tunnel | awk '{print "clish -c \"show interface "$3, "statistics\" |grep -A 3 Errors;"}' '''VRRP verfication''' vrrp pre-upgrade recon script that looks for any foreign vrrp advertisement ??? == MDS commands == Customer list - useful for determining mdscmd startcma/stopcma first parameter (not given by mdsstat) mdsquerydb Customers ''' list firewall logs, sorted with backslash for copy/paste into gzip command''' # '''ls -t *.log |awk '{print $1,"\\"}'|sort -n|more''' [[category:check point]] asg policy - command 0 263 880 879 2023-10-20T21:40:28Z Nighthawk 1 Nighthawk moved page [[asg policy - manpage]] to [[asg policy - command]] without leaving a redirect wikitext text/x-wiki ==asg policy== ==Description== Use the "asg policy" command in GaiaClosed gClish or the Expert mode to perform policy-related actions. ==Syntax== asg policy -h asg policy {verify | verify_amw} [-vs <VS IDs>] [-a] [-v] asg policy unload [--disable_pnotes] [-a] asg policy unload --ip_forward a490b9582b1aba43b91595705187bf000d0b0603 879 878 2023-10-20T21:40:12Z Nighthawk 1 wikitext text/x-wiki ==asg policy== ==Description== Use the "asg policy" command in GaiaClosed gClish or the Expert mode to perform policy-related actions. ==Syntax== asg policy -h asg policy {verify | verify_amw} [-vs <VS IDs>] [-a] [-v] asg policy unload [--disable_pnotes] [-a] asg policy unload --ip_forward a490b9582b1aba43b91595705187bf000d0b0603 878 877 2023-10-20T21:39:36Z Nighthawk 1 /* Syntax */ wikitext text/x-wiki asg policy ==Description== Use the "asg policy" command in GaiaClosed gClish or the Expert mode to perform policy-related actions. ==Syntax== asg policy -h asg policy {verify | verify_amw} [-vs <VS IDs>] [-a] [-v] asg policy unload [--disable_pnotes] [-a] asg policy unload --ip_forward 7224c14b535fbe8208ba9eb232bb6fc64cb99319 877 2023-10-20T21:39:11Z Nighthawk 1 Created page with "asg policy ==Description== Use the "asg policy" command in GaiaClosed gClish or the Expert mode to perform policy-related actions. ==Syntax== asg policy -h asg policy {v..." wikitext text/x-wiki asg policy ==Description== Use the "asg policy" command in GaiaClosed gClish or the Expert mode to perform policy-related actions. ==Syntax== asg policy -h asg policy {verify | verify_amw} [-vs <VS IDs>] [-a] [-v] asg policy unload [--disable_pnotes] [-a] asg policy unload --ip_forward 4fd964ab301b6d73d091c48489a76e24d070917f big-ip notes 0 271 926 925 2024-12-09T17:55:37Z Nighthawk 1 wikitext text/x-wiki ==links== [https://community.f5.com/kb/codeshare/big-ip-upgrade-procedure-using-cli-vcmp-guest--host/280685 BIG-IP Upgrade Procedure Using CLI (vCMP Guest & Host)] [https://networkproguide.com/f5-big-ip-cli-commands-cheat-sheet/ Big-ip cheat sheet] [[category:f5]] bf0b3a6e96b427a34b852c035e5545bdf7e9e5e3 925 2024-10-04T19:06:57Z Nighthawk 1 Created page with "==links== [https://community.f5.com/kb/codeshare/big-ip-upgrade-procedure-using-cli-vcmp-guest--host/280685 BIG-IP Upgrade Procedure Using CLI (vCMP Guest & Host)] category..." wikitext text/x-wiki ==links== [https://community.f5.com/kb/codeshare/big-ip-upgrade-procedure-using-cli-vcmp-guest--host/280685 BIG-IP Upgrade Procedure Using CLI (vCMP Guest & Host)] [[category:f5]] a337338e08fb0c663f6624d5f21c009da68c90ec centos 3.8 rpm repo 0 104 304 188 2013-11-05T10:16:26Z Nighthawk 1 wikitext text/x-wiki centos 3.8 RPMs are compatible with most SecurePlatform versions. Specifically, these have been tested with R75.30. To check SPLAT version run... [Expert@secureplaform]# '''cat /etc/cp-release''' Check Point SecurePlatform R75.30 '''downloads''' an ancient but still working yum repo [http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/ centos 3.8 i386 (32 bit) RPMs] [[category:sysadmin]] 188 2013-07-19T15:51:42Z Nighthawk 1 Created page with "centos 3.8 RPMs are compatible with most SecurePlatform versions. Specifically, these have been tested with R75.30. To check SPLAT version run... [Expert@secureplaform]# ''..." wikitext text/x-wiki centos 3.8 RPMs are compatible with most SecurePlatform versions. Specifically, these have been tested with R75.30. To check SPLAT version run... [Expert@secureplaform]# '''cat /etc/cp-release''' Check Point SecurePlatform R75.30 '''downloads''' [http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/ centos 3.8 i386 (32 bit) RPMs] [[category:sysadmin]] centos 6.5 repo 0 213 662 2017-05-25T00:30:52Z Nighthawk 1 Nighthawk moved page [[centos 6.5 repo]] to [[centos 6.5 repo yum file]] wikitext text/x-wiki #REDIRECT [[centos 6.5 repo yum file]] cd9a95b5d68db574cd22a90867881c070118e496 centos 6.5 repo yum file 0 212 661 660 2017-05-25T00:30:52Z Nighthawk 1 Nighthawk moved page [[centos 6.5 repo]] to [[centos 6.5 repo yum file]] wikitext text/x-wiki [rhel-source] name=Red Hat Enterprise Linux $releasever - $basearch - Source baseurl=ftp://ftp.redhat.com/pub/redhat/linux/enterprise/$releasever/en/os/SRPMS/ enabled=0 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [rhel-source-beta] name=Red Hat Enterprise Linux $releasever Beta - $basearch - Source baseurl=ftp://ftp.redhat.com/pub/redhat/linux/beta/$releasever/en/os/SRPMS/ enabled=0 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [CentOS6base] name=CentOS-6-Base mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=os gpgcheck=1 enabled=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY=CentOS-6 [CentOS6updates] name=CentOS-6-Updates mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=updates gpgcheck=1 enabled=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6 [CentOS6plus] name=CentOS-6-Plus mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=centosplus gpgcheck=1 enabled=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6 238ebcd3415b3b24f48636248784f27d321343df 660 659 2017-05-24T22:34:28Z Nighthawk 1 wikitext text/x-wiki [rhel-source] name=Red Hat Enterprise Linux $releasever - $basearch - Source baseurl=ftp://ftp.redhat.com/pub/redhat/linux/enterprise/$releasever/en/os/SRPMS/ enabled=0 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [rhel-source-beta] name=Red Hat Enterprise Linux $releasever Beta - $basearch - Source baseurl=ftp://ftp.redhat.com/pub/redhat/linux/beta/$releasever/en/os/SRPMS/ enabled=0 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [CentOS6base] name=CentOS-6-Base mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=os gpgcheck=1 enabled=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY=CentOS-6 [CentOS6updates] name=CentOS-6-Updates mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=updates gpgcheck=1 enabled=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6 [CentOS6plus] name=CentOS-6-Plus mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=centosplus gpgcheck=1 enabled=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6 238ebcd3415b3b24f48636248784f27d321343df 659 2017-05-24T22:28:41Z Nighthawk 1 Created page with "[rhel-source] name=Red Hat Enterprise Linux $releasever - $basearch - Source baseurl=ftp://ftp.redhat.com/pub/redhat/linux/enterprise/$releasever/en/os/SRPMS/ enabled=0 gpgche..." wikitext text/x-wiki [rhel-source] name=Red Hat Enterprise Linux $releasever - $basearch - Source baseurl=ftp://ftp.redhat.com/pub/redhat/linux/enterprise/$releasever/en/os/SRPMS/ enabled=0 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [rhel-source-beta] name=Red Hat Enterprise Linux $releasever Beta - $basearch - Source baseurl=ftp://ftp.redhat.com/pub/redhat/linux/beta/$releasever/en/os/SRPMS/ enabled=0 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [CentOS6base] name=CentOS-6-Base mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=os gpgcheck=1 enabled=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY=CentOS-6 [CentOS6updates] name=CentOS-6-Updates mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=updates gpgcheck=1 enabled=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6 [CentOS6plus] name=CentOS-6-Plus mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=centosplus gpgcheck=1 enabled=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6 e584843d802e9f4c8231e1402fc1b61009c69c63 check jumbo hotfix install status 0 189 847 604 2020-09-12T16:27:49Z Nighthawk 1 wikitext text/x-wiki # cpinfo -y all ===R77=== # installed_jumbo_take 2a0b195d1358233b705051882c88097a2922f1a5 604 571 2016-10-14T21:39:32Z Nighthawk 1 wikitext text/x-wiki # installed_jumbo_take # cpinfo -y all 685081d96f5adfef1922d586deb2526cdeeb5a1d 571 2016-02-12T22:39:58Z Nighthawk 1 Created page with " # installed_jumbo_take" wikitext text/x-wiki # installed_jumbo_take check point appliance documentation 0 166 457 2014-05-13T04:57:50Z Nighthawk 1 Created page with " sk96246 [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk96246&js_peid=P-114a7bc3b09-10006&partition=General&p..." wikitext text/x-wiki sk96246 [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk96246&js_peid=P-114a7bc3b09-10006&partition=General&product=Security Check Point Appliances Documentation] checking ICA / SIC certificate expiration date 0 15 19 18 2013-02-25T22:52:06Z Nighthawk 1 moved [[Check point CA certificate expiration]] to [[checking ICA / SIC certificate expiration date]] wikitext text/x-wiki How to list the expiration dates for objects managed by and MDS or CMA cpca_client lscert [[category:check point]] 18 2013-02-25T22:51:25Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki How to list the expiration dates for objects managed by and MDS or CMA cpca_client lscert [[category:check point]] checkpoint.com platform document page 0 256 849 2021-01-13T22:14:19Z Nighthawk 1 Created page with "[https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowprelanding=&id=1 Downloads & Documentation Next Generation Firewalls]" wikitext text/x-wiki [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowprelanding=&id=1 Downloads & Documentation Next Generation Firewalls] b6ddc409aa9287a7ce3b17084dec14ae18d3229e cisco asa notes 0 267 919 913 2024-06-24T18:54:53Z Nighthawk 1 wikitext text/x-wiki ==Getting Started== ===Accessing the Appliance Command-Line Interface=== This following prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode. hostname> To access privileged EXEC mode, enter the following command: hostname> '''enable''' The prompt changes to the following: hostname# To exit privileged mode, enter the disable, exit, or quit command. access global configuration mode hostname# '''configure terminal''' The prompt changes to the following: hostname(config)# ===configure base system=== set firewall mode to transparent or routed? (Optional) example config... can paste on command line over console ASA Version 9.18.4 ! console serial interface management0/0 nameif management security-level 100 ip address 192.168.100.254 255.255.255.0 no shutdown interface gigabitethernet0/0 nameif inside security-level 100 ip address 10.100.0.254 255.255.255.0 no shutdown interface gigabitethernet0/1 nameif outside security-level 0 ip address 172.16.100.254 255.255.255.0 no shutdown http server enable http 192.168.100.0 255.255.255.0 management crypto key generate rsa modulus 1024 username admin password admin ssh 192.168.100.0 255.255.255.0 management aaa authentication ssh console LOCAL save config hostname(config)# '''write memory''' ==VM notes== KVM graphical console stops after... Booting the kernel. at this point he VM is outputing to the virtual serial console. There are similar experiences on VMware. dbe4f7adac4808ce432dde729899a064aa2f211a 913 912 2024-06-20T04:41:25Z Nighthawk 1 wikitext text/x-wiki ==Getting Started== ===Accessing the Appliance Command-Line Interface=== This following prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode. hostname> To access privileged EXEC mode, enter the following command: hostname> '''enable''' The prompt changes to the following: hostname# To exit privileged mode, enter the disable, exit, or quit command. access global configuration mode hostname# '''configure terminal''' The prompt changes to the following: hostname(config)# ===configure base system=== set firewall mode to transparent or routed? (Optional) example config... can paste on command line over console ASA Version 9.18.4 ! console serial interface management0/0 nameif management security-level 100 ip address 192.168.100.254 255.255.255.0 no shutdown interface gigabitethernet0/0 nameif inside security-level 100 ip address 10.100.0.254 255.255.255.0 no shutdown interface gigabitethernet0/1 nameif outside security-level 0 ip address 172.16.100.254 255.255.255.0 no shutdown http server enable http 192.168.100.0 255.255.255.0 management crypto key generate rsa modulus 1024 username admin password admin ssh 192.168.100.0 255.255.255.0 management aaa authentication ssh console LOCAL save config hostname(config)# '''write memory''' bff335ccf853db41e4dfacf0a522eafc197c26ea 912 2024-06-20T03:16:13Z Nighthawk 1 Created page with "==Getting Started== Accessing the Appliance Command-Line Interface This following prompt indicates that you are in user EXEC mode. Only basic commands are available from user..." wikitext text/x-wiki ==Getting Started== Accessing the Appliance Command-Line Interface This following prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode. hostname> To access privileged EXEC mode, enter the following command: hostname> '''enable''' The prompt changes to the following: hostname# To exit privileged mode, enter the disable, exit, or quit command. access global configuration mode hostname# '''configure terminal''' The prompt changes to the following: hostname(config)# 951b17cf29ee36ba972f7d5593b7c44896284916 clish - Adding / Deleting routes 0 86 139 138 2013-05-24T15:33:40Z Nighthawk 1 wikitext text/x-wiki from clish prompt... > set static-route 172.21.0.0/16 nexthop gateway address 10.10.10.1 on to delete use off instead of on [[category:check point]] [[category:nokia]] [[category:clish]] 138 2013-05-24T15:33:15Z Nighthawk 1 Created page with " set static-route 172.21.0.0/16 nexthop gateway address 10.10.10.1 on to delete use off instead of on [[category:check point]] [[category:nokia]] [[category:clish]]" wikitext text/x-wiki set static-route 172.21.0.0/16 nexthop gateway address 10.10.10.1 on to delete use off instead of on [[category:check point]] [[category:nokia]] [[category:clish]] clish - adding an IP address to an existing logical interface 0 77 121 118 2013-05-24T15:10:03Z Nighthawk 1 wikitext text/x-wiki == adding an IP address to an existing logical interface: == *** you must leave off the enable keyword when the logical interface already exists. NokiaIP390:31> add interface eth-s1p1c0 address 192.168.1.2/23 [[category:nokia]] [[category:clish]] 118 117 2013-05-24T13:30:43Z Nighthawk 1 wikitext text/x-wiki == adding an IP address to an existing logical interface: == *** you must leave off the enable keyword when the logical interface already exists. add interface eth-s1p1c0 address 192.168.1.2/23 [[category:nokia]] [[category:clish]] 117 2013-05-24T13:30:14Z Nighthawk 1 Created page with "== adding an IP address to an existing logical interface: == *** you must leave off the enable keyword when the logical interface already exists. add interface eth-s1p1c0 a..." wikitext text/x-wiki == adding an IP address to an existing logical interface: == *** you must leave off the enable keyword when the logical interface already exists. add interface eth-s1p1c0 address 192.168.1.2/23 clish - get vrrp vird 0 79 126 125 2013-05-24T15:18:44Z Nighthawk 1 wikitext text/x-wiki just get the vrid... # '''clish -c "show vrrp interfaces" | grep -m1 -E "VRID"''' VRID 71 here is a nice oneliner for checking vrrp status and grabbing the VRID without flooding you screen.... '''clish -c "show vrrp interfaces" | grep -E "VRID|Base|State"''' Example... # '''clish -c "show vrrp interfaces" | grep -E "VRID|Base|State"''' VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937734 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 [[category:check point]] [[category:nokia]] [[category:clish]] 125 124 2013-05-24T15:18:30Z Nighthawk 1 wikitext text/x-wiki just get the vrid... # '''clish -c "show vrrp interfaces" | grep -m1 -E "VRID"''' VRID 71 here is a nice oneliner for checking vrrp status and grabbing the VRID without flooding you screen.... clish -c "show vrrp interfaces" | grep -E "VRID|Base|State" Example... # '''clish -c "show vrrp interfaces" | grep -E "VRID|Base|State"''' VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937734 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 [[category:check point]] [[category:nokia]] [[category:clish]] 124 123 2013-05-24T15:18:07Z Nighthawk 1 wikitext text/x-wiki just get the vrid... # clish -c "show vrrp interfaces" | grep -m1 -E "VRID" VRID 71 here is a nice oneliner for checking vrrp status and grabbing the VRID without flooding you screen.... clish -c "show vrrp interfaces" | grep -E "VRID|Base|State" Example... # clish -c "show vrrp interfaces" | grep -E "VRID|Base|State" VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937734 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 [[category:check point]] [[category:nokia]] [[category:clish]] 123 2013-05-24T15:13:31Z Nighthawk 1 Created page with "here is a nice oneliner for checking vrrp status and grabbing the VRID without flooding you screen.... clish -c "show vrrp interfaces" | grep -E "VRID|Base|State" Example......" wikitext text/x-wiki here is a nice oneliner for checking vrrp status and grabbing the VRID without flooding you screen.... clish -c "show vrrp interfaces" | grep -E "VRID|Base|State" Example... # clish -c "show vrrp interfaces" | grep -E "VRID|Base|State" VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937734 BasePriority: 90 Effective Priority: 90 VRID 71 State: Backup Time since transition: 8937735 BasePriority: 90 Effective Priority: 90 [[category:check point]] [[category:nokia]] [[category:clish]] clish - manual vrrp failover via CLI 0 80 128 127 2013-05-24T15:20:56Z Nighthawk 1 wikitext text/x-wiki '''clish, command line, manual vrrp failover''' *** works on simplified vrrp which has only one vrid. To determine if simplified is used run(from shell): # clish -c "show vrrp interfaces" | grep VRID ...if only one VRID is returned, then it is simplified vrrp. run from clish > set mcvr vrid <1-255> priority <1-254> [[category:check point]] [[category:nokia]] [[category:clish]] 127 2013-05-24T15:20:02Z Nighthawk 1 Created page with "'''clish, command line, manual vrrp failover''' *** works on simplified vrrp which has only one vrid. To determine if simplified is used run: clish -c "show vrrp interfaces" ..." wikitext text/x-wiki '''clish, command line, manual vrrp failover''' *** works on simplified vrrp which has only one vrid. To determine if simplified is used run: clish -c "show vrrp interfaces" | grep VRID ...if only one VRID is returned, then it is simplified vrrp. set mcvr vrid <1-255> priority <1-254> [[category:check point]] [[category:nokia]] [[category:clish]] clish - set default gateway 0 76 122 116 2013-05-24T15:10:18Z Nighthawk 1 wikitext text/x-wiki '''Set default gateway''' NokiaIP390:31> set static-route default nexthop gateway address 192.168.1.254 priority 1 on [[category:nokia]] [[category:clish]] 116 2013-05-24T13:29:11Z Nighthawk 1 Created page with "'''Set default gateway''' set static-route default nexthop gateway address 192.168.1.254 priority 1 on [[category:nokia]] [[category:clish]]" wikitext text/x-wiki '''Set default gateway''' set static-route default nexthop gateway address 192.168.1.254 priority 1 on [[category:nokia]] [[category:clish]] clish - set user password 0 88 142 141 2013-05-24T15:35:59Z Nighthawk 1 moved [[nokia - set user password]] to [[clish - set user password]] wikitext text/x-wiki reset user password > set user username passwd <enter> or > set user username newpass <password> <enter> [[category:check point]] [[category:nokia]] [[category:clish]] 141 2013-05-24T15:35:49Z Nighthawk 1 Created page with "reset user password > set user username passwd <enter> or > set user username newpass <password> <enter> [[category:check point]] [[category:nokia]] [[category:clish]]" wikitext text/x-wiki reset user password > set user username passwd <enter> or > set user username newpass <password> <enter> [[category:check point]] [[category:nokia]] [[category:clish]] clish - unlock user account 0 90 607 144 2016-11-08T01:03:27Z Nighthawk 1 wikitext text/x-wiki > set user johnsmith lock-out off [[category:check point]] [[category:nokia]] [[category:clish]] de950cfb1abb3235078f45a28d4a0fab18773e6f 144 2013-05-24T15:37:11Z Nighthawk 1 Created page with " > set user swrxadmin lock-out off [[category:check point]] [[category:nokia]] [[category:clish]]" wikitext text/x-wiki > set user swrxadmin lock-out off [[category:check point]] [[category:nokia]] [[category:clish]] cmm notes 0 150 419 2014-04-15T17:05:37Z Nighthawk 1 Created page with "FRU = Field Replaceable Unit [[category:cmm]] [[category:61000]]" wikitext text/x-wiki FRU = Field Replaceable Unit [[category:cmm]] [[category:61000]] cp manpage - mdsenv runcrossdomainquery 0 211 641 2017-05-01T17:38:53Z Nighthawk 1 Created page with "usage: mdscmd runcrossdomainquery <-f Domain_list_filename | -list Domain1,Domain2,... | -all> < <query_network_obj <-n exact_name | -c partial_name | -i IP> > | <query_r..." wikitext text/x-wiki usage: mdscmd runcrossdomainquery <-f Domain_list_filename | -list Domain1,Domain2,... | -all> < <query_network_obj <-n exact_name | -c partial_name | -i IP> > | <query_rulebase -n global_obj_name> | <whereused_rules -n global_obj_name> | <whereused_objs -n global_obj_name> > | <query_generic_obj -t table -s query_str>> 455d0909975e084ced7abf5fc2b009f72fd54c12 cplic db print examples 0 99 168 2013-07-16T16:33:10Z Nighthawk 1 Created page with "The following command will display all licenses and what they are attached to. [Expert@mds1]# '''cplic db_print -all -a attached''' Retrieving license information from datab..." wikitext text/x-wiki The following command will display all licenses and what they are attached to. [Expert@mds1]# '''cplic db_print -all -a attached''' Retrieving license information from database ... The following licenses appear in the database: =============================================== Host Expiration Features 192.168.1.9 never CPPR-CMA-U-NGX CPMP-DBVR-U-NGX CPMP-CXL-HA-U-NGX CK-098B4CBAE171 test2-cma 192.168.1.251 never CPSB-DMN-U CK-378752BCF761 test2-cma_sec 192.168.1.3 never cppr-lcu-ngx cpsb-base CK-41E193480370 test2-clm viewing unattached licenses [Expert@mds1]# '''cplic db_print -all -a attached | grep -E "CK-............ $"''' Retrieving license information from database ... 192.168.1.2 never CPVP-VEE-U-3DES-MGMT-NGX CPMP-DBVR-U-NGX CK-148894B9345D 192.168.1.2 never CPVP-VFM-U-3DES-NGX CPVP-VPS-1-NGX FW1:6.0:MC_ALL_2 FW1:6.0:MULTICORE CK-A9E475B8766F 192.168.1.2 never CPFW-FM-U-NGX CPMP-PPK-1-NGX CK-B13E10987C39 [[category:licensing]] [[category:smartupdate]] cpmiquerybin 0 27 733 696 2018-03-27T14:48:00Z Nighthawk 1 /* MDS queries */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == indentify firewall objects == '''Standalone Firewalls''' cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ '''clusters''' CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) '''cluster members''' list all objects of type cluster member cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ list the member of a particular cluster cpmiquerybin attr "" network_objects "name='<name_of_cluster_here>'" -a cluster_members '''identify clusters and standalone firewalls (excluding cluster members)''' cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' '''All IPs and masks of group's members''' GROUPNAME="<group name>"; cpmiquerybin object "" network_objects "name='$GROUPNAME'" | grep ":Name" | awk '{print $2}' | tr -d '()' | while read line; do IPADDRESS=`cpmiquerybin attr "" network_objects "name='$line'" -a ipaddr | tr -d '\t';`; MASK=`cpmiquerybin attr "" network_objects "name='$line'" -a netmask`; CIDR=`/usr/local/bin/mask2cidr $MASK`; echo "$IPADDRESS/$MASK"; done List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr cpmiquerybin attr "mdsdb" network_objects "hosted_by_mds='<mds_name>'" -a __name__ get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_member')" -a __name__ == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 1561b915552b5eca23cd87cab7fc06070038fa16 696 681 2017-10-05T19:24:53Z Nighthawk 1 /* MDS queries */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == indentify firewall objects == '''Standalone Firewalls''' cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ '''clusters''' CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) '''cluster members''' list all objects of type cluster member cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ list the member of a particular cluster cpmiquerybin attr "" network_objects "name='<name_of_cluster_here>'" -a cluster_members '''identify clusters and standalone firewalls (excluding cluster members)''' cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' '''All IPs and masks of group's members''' GROUPNAME="<group name>"; cpmiquerybin object "" network_objects "name='$GROUPNAME'" | grep ":Name" | awk '{print $2}' | tr -d '()' | while read line; do IPADDRESS=`cpmiquerybin attr "" network_objects "name='$line'" -a ipaddr | tr -d '\t';`; MASK=`cpmiquerybin attr "" network_objects "name='$line'" -a netmask`; CIDR=`/usr/local/bin/mask2cidr $MASK`; echo "$IPADDRESS/$MASK"; done List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr cpmiquerybin attr "mdsdb" network_objects "hosted_by_mds='<mds_name>'" -a __name__ get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_member')" == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 5da0ad5094c7cd0cdd33874ed170573f1b2578ca 681 680 2017-08-23T05:39:09Z Nighthawk 1 /* indentify firewall objects */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == indentify firewall objects == '''Standalone Firewalls''' cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ '''clusters''' CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) '''cluster members''' list all objects of type cluster member cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ list the member of a particular cluster cpmiquerybin attr "" network_objects "name='<name_of_cluster_here>'" -a cluster_members '''identify clusters and standalone firewalls (excluding cluster members)''' cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' '''All IPs and masks of group's members''' GROUPNAME="<group name>"; cpmiquerybin object "" network_objects "name='$GROUPNAME'" | grep ":Name" | awk '{print $2}' | tr -d '()' | while read line; do IPADDRESS=`cpmiquerybin attr "" network_objects "name='$line'" -a ipaddr | tr -d '\t';`; MASK=`cpmiquerybin attr "" network_objects "name='$line'" -a netmask`; CIDR=`/usr/local/bin/mask2cidr $MASK`; echo "$IPADDRESS/$MASK"; done List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr cpmiquerybin attr "mdsdb" network_objects "hosted_by_mds='<mds_name>'" -a __name__ get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 941881b05c041a80fdb33b76adde602eaa642dd2 680 668 2017-08-22T15:51:14Z Nighthawk 1 /* MDS queries */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == indentify firewall objects == '''Standalone Firewalls''' cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ '''clusters''' CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) '''cluster members''' cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ '''identify clusters and standalone firewalls (excluding cluster members)''' cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' '''All IPs and masks of group's members''' GROUPNAME="<group name>"; cpmiquerybin object "" network_objects "name='$GROUPNAME'" | grep ":Name" | awk '{print $2}' | tr -d '()' | while read line; do IPADDRESS=`cpmiquerybin attr "" network_objects "name='$line'" -a ipaddr | tr -d '\t';`; MASK=`cpmiquerybin attr "" network_objects "name='$line'" -a netmask`; CIDR=`/usr/local/bin/mask2cidr $MASK`; echo "$IPADDRESS/$MASK"; done List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr cpmiquerybin attr "mdsdb" network_objects "hosted_by_mds='<mds_name>'" -a __name__ get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] a94d0a11b77a139b9a653c341ff80698d5120a34 668 626 2017-07-04T04:05:10Z Nighthawk 1 wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == indentify firewall objects == '''Standalone Firewalls''' cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ '''clusters''' CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) '''cluster members''' cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ '''identify clusters and standalone firewalls (excluding cluster members)''' cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' '''All IPs and masks of group's members''' GROUPNAME="<group name>"; cpmiquerybin object "" network_objects "name='$GROUPNAME'" | grep ":Name" | awk '{print $2}' | tr -d '()' | while read line; do IPADDRESS=`cpmiquerybin attr "" network_objects "name='$line'" -a ipaddr | tr -d '\t';`; MASK=`cpmiquerybin attr "" network_objects "name='$line'" -a netmask`; CIDR=`/usr/local/bin/mask2cidr $MASK`; echo "$IPADDRESS/$MASK"; done List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] fbcaf8de9654f488851b16377fe28ebcf6452a07 626 625 2017-04-16T22:11:10Z Nighthawk 1 /* indentify firewall objects */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == indentify firewall objects == '''Standalone Firewalls''' cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ '''clusters''' CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) '''cluster members''' cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ '''identify clusters and standalone firewalls (excluding cluster members)''' cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 359c59326f845398c0e9d10fd0629cef31715323 625 624 2017-04-16T22:10:58Z Nighthawk 1 /* indentify firewall objects */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == indentify firewall objects == '''Standalone Firewalls''' cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ '''clusters''' CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) '''cluster members''' cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ '''identify clusters and standalone firewalls (excluding cluster members)''' cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 1491b1dba688d37b02f1da78eac8628da40e803a 624 623 2017-04-16T22:09:58Z Nighthawk 1 /* indentify firewall objects */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == indentify firewall objects == '''Standalone Firewalls''' cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ '''clusters''' CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) '''cluster members''' cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ '''identify clusters and standalone firewalls (excluding cluster members)''' cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 4b6e06de568c52b268274d1786374937d63a06d8 623 622 2017-04-16T21:57:49Z Nighthawk 1 /* indentify firewall objects */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == indentify firewall objects == '''Standalone Firewalls''' cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ '''clusters''' CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) '''cluster members''' cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ '''identify clusters and standalone firewalls (excluding cluster members)''' <pre> cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name</pre> cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] ca5809e3a73d71a71d73ae009b5b01e2d7238c21 622 621 2017-04-16T21:55:21Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == indentify firewall objects == '''Standalone Firewalls''' cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ '''clusters''' CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) '''cluster members''' cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ '''identify clusters and standalone firewalls (excluding cluster members)''' cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 7e969aa7f9f01dd812a51d4640f7302b54622d8c 621 613 2017-04-16T21:53:01Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' Standalone Firewalls cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ clusters CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) cluster members cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ identify clusters or standalone firewalls cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] ceff2f02ddc5965105b83d05c8aeed5b3902fcbc 613 594 2017-04-12T14:35:04Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects (and store them in bash variable)''' Standalone Firewalls GATEWAYS=( `cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ | tr '\n' ' '` ) clusters CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) cluster members MEMBERS=( `cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ | tr '\n ' ' '` ) identify clusters or standalone firewalls cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] a2a5f4135e8018b0db7235330299d1b5b1dcb0e1 594 593 2016-07-15T20:51:10Z Nighthawk 1 /* CMA queries */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects (and store them in bash variable)''' Standalone Firewalls GATEWAYS=( `cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ | tr '\n' ' '` ) clusters CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) cluster members MEMBERS=( `cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ | tr '\n ' ' '` ) cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] bf1f47a25b7a14c00b8fc50d5f497c4fef0601f9 593 575 2016-07-15T20:50:37Z Nighthawk 1 /* CMA queries */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects (and store them in bash variable)''' Standalone Firewalls GATEWAYS=( `cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ | tr '\n' ' '` ) clusters CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) cluster members MEMBERS=( `cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ | tr '\n ' ' '` ) cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets print raw dump of a policy named Standard cpmiquerybin object "" fw_policies "name='##Standard'" dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 8d6b7d95cbcc8461227127e4307cfd3e08e24da9 575 557 2016-03-16T16:46:45Z Nighthawk 1 /* MDS queries */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects (and store them in bash variable)''' Standalone Firewalls GATEWAYS=( `cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ | tr '\n' ' '` ) clusters CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) cluster members MEMBERS=( `cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ | tr '\n ' ' '` ) cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_members')" *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 557 543 2015-07-17T17:08:54Z Nighthawk 1 /* CMA queries */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects (and store them in bash variable)''' Standalone Firewalls GATEWAYS=( `cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ | tr '\n' ' '` ) clusters CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) cluster members MEMBERS=( `cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ | tr '\n ' ' '` ) cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ get CMA list of policy collections (similar to above) cpmiquerybin attr "" policies_collections "" -a __name__ get installable targets for a policy named standard cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 543 371 2014-10-07T15:23:23Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects (and store them in bash variable)''' Standalone Firewalls GATEWAYS=( `cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ | tr '\n' ' '` ) clusters CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) cluster members MEMBERS=( `cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ | tr '\n ' ' '` ) cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 371 370 2014-03-15T20:28:36Z Nighthawk 1 moved [[Cpmiquerybin]] to [[cpmiquerybin]] wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'" cpmiquerybin attr "" network_objects "type='gateway_cluster'" -a __name__ cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 370 327 2014-03-15T20:28:01Z Nighthawk 1 wikitext text/x-wiki cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'" cpmiquerybin attr "" network_objects "type='gateway_cluster'" -a __name__ cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 327 318 2014-01-12T06:52:22Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'" cpmiquerybin attr "" network_objects "type='gateway_cluster'" -a __name__ cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 318 317 2013-11-19T17:19:16Z Nighthawk 1 /* cma global properties */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'" cpmiquerybin attr "" network_objects "type='gateway_cluster'" -a __name__ cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces cpmiquerybin object "" network_objects "name='<firewall_name>'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*($[^ ]*$)/\1/p' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 317 315 2013-11-19T17:19:00Z Nighthawk 1 wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'" cpmiquerybin attr "" network_objects "type='gateway_cluster'" -a __name__ cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces cpmiquerybin object "" network_objects "name='<firewall_name>'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == cma global properties == individual parameters are not available by name. You have to dump them all and grep for what you want. cpmiquerybin object "" properties "name='firewall_properties'" example - cma auto sync rules / objects on policy save global setting: cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 315 300 2013-11-17T08:39:16Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'" cpmiquerybin attr "" network_objects "type='gateway_cluster'" -a __name__ cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces cpmiquerybin object "" network_objects "name='<firewall_name>'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 300 299 2013-11-01T17:00:18Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'" cpmiquerybin object "" network_objects "type='gateway_cluster'" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces cpmiquerybin object "" network_objects "name='<firewall_name>'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 299 279 2013-11-01T16:59:05Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'" cpmiquerybin object "" network_objects "type='gateway_cluster'" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces cpmiquerybin object "" network_objects "name='<firewall_name>'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 279 277 2013-09-28T06:34:52Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'" cpmiquerybin object "" network_objects "type='gateway_cluster'" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members anti-spoofing check on all firewall interfaces cpmiquerybin object "" network_objects "name='<firewall_name>'" |grep anti_spoof '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 277 276 2013-09-26T20:33:19Z Nighthawk 1 wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|anti_spoof" cpmiquerybin object "" network_objects "type='gateway_cluster'"|grep -E ":name|anti_spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ *** not sure how well the one above works... == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 276 243 2013-09-26T20:32:16Z Nighthawk 1 wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|anti_spoof" cpmiquerybin object "" network_objects "type='gateway_cluster'"|grep -E ":name|anti_spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr == CMA queries == List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ get secondary CMA cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 243 159 2013-09-14T05:54:51Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|anti_spoof" cpmiquerybin object "" network_objects "type='gateway_cluster'"|grep -E ":name|anti_spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 159 158 2013-07-06T17:58:36Z Nighthawk 1 /* MDS queries */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|spoof" cpmiquerybin object "" network_objects "type='gateway_cluster'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr List CLMs / log servers from CMA env cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 158 157 2013-07-04T00:17:15Z Nighthawk 1 /* MDS queries */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|spoof" cpmiquerybin object "" network_objects "type='gateway_cluster'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr List CLMs / log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 157 95 2013-07-03T21:43:24Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == '''indentify firewall objects''' cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|spoof" cpmiquerybin object "" network_objects "type='gateway_cluster'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr List CLMs / log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 95 86 2013-05-16T20:14:41Z Nighthawk 1 wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|spoof" cpmiquerybin object "" network_objects "type='gateway_cluster'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr List CLMs / log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' get list of firewalls / cp devices cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 86 85 2013-04-28T04:24:12Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|spoof" cpmiquerybin object "" network_objects "type='gateway_cluster'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr List CLMs / log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 85 75 2013-04-28T04:23:58Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|spoof" cpmiquerybin object "" network_objects "type='gateway_cluster'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr List CLMs / log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 75 74 2013-04-21T07:47:47Z Nighthawk 1 /* MDS queries */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr List CLMs / log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \ | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \ if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \ if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 74 73 2013-04-21T07:46:32Z Nighthawk 1 wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr List CLMs / log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 73 72 2013-04-21T07:44:54Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ List log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 72 71 2013-04-21T07:44:29Z Nighthawk 1 wikitext text/x-wiki == Usage == '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' == jumbled examples == cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ List log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 71 70 2013-04-21T07:40:37Z Nighthawk 1 wikitext text/x-wiki == Usage == #'''cpmiquerybin''' <query_result_type> <database> <ta ble> <query> [-a <attributes_list>] {| cellspacing="5" border="1" ! align="left"|command ! <query_result_type> ! <database> ! <t able> ! <query> ! [-a <attribute_list>] ! description |- |cpmiquerybin |attr |"mdsdb" |row 1, col 4 |row 1, col 5 |row 1, col 6 |- |cpmiquerybin |row 2, col 2 |row 2, col 3 |row 2, col 4 |row 2, col 5 |row 2, col 6 |- |cpmiquerybin |row 3, col 2 |row 3, col 3 |row 3, col 4 |row 3, col 5 |row 3, col 6 |- !Total | |15.00 |} == jumbled examples == cpmiquerybin object "" network_objects "type='gateway'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ List log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ list CMAs cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ dump MDS admin account info cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm same as above plus formatting cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 70 69 2013-04-21T07:36:28Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == #'''cpmiquerybin''' <query_result_type> <database> <ta ble> <query> [-a <attributes_list>] {| cellspacing="5" border="1" ! align="left"|command ! <query_result_type> ! <database> ! <t able> ! <query> ! [-a <attribute_list>] ! description |- |cpmiquerybin |attr |"mdsdb" |row 1, col 4 |row 1, col 5 |row 1, col 6 |- |cpmiquerybin |row 2, col 2 |row 2, col 3 |row 2, col 4 |row 2, col 5 |row 2, col 6 |- |cpmiquerybin |row 3, col 2 |row 3, col 3 |row 3, col 4 |row 3, col 5 |row 3, col 6 |- !Total | |15.00 |} == jumbled examples == cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm cpmiquerybin object "" network_objects "type='gateway'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr dump and format Provider-1 admins cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ List log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 69 68 2013-04-21T05:47:27Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == #'''cpmiquerybin''' <query_result_type> <database> <ta ble> <query> [-a <attributes_list>] {| cellspacing="5" border="1" ! align="left"|command ! <query_result_type> ! <database> ! <t able> ! <query> ! [-a <attribute_list>] ! description |- |cpmiquerybin |attr |"mdsdb" |row 1, col 4 |row 1, col 5 |row 1, col 6 |- |cpmiquerybin |row 2, col 2 |row 2, col 3 |row 2, col 4 |row 2, col 5 |row 2, col 6 |- |cpmiquerybin |row 3, col 2 |row 3, col 3 |row 3, col 4 |row 3, col 5 |row 3, col 6 |- !Total | |15.00 |} == jumbled examples == cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm cpmiquerybin object "" network_objects "type='gateway'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ List log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 68 64 2013-04-21T05:45:53Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == #'''cpmiquerybin''' <query_result_type> <database> <ta ble> <query> [-a <attributes_list>] {| cellspacing="5" border="1" ! align="left"|command ! <query_result_type> ! <database> ! <t able> ! <query> ! [-a <attribute_list>] ! description |- |cpmiquerybin |attr |"mdsdb" |row 1, col 4 |row 1, col 5 |row 1, col 6 |- |cpmiquerybin |row 2, col 2 |row 2, col 3 |row 2, col 4 |row 2, col 5 |row 2, col 6 |- |cpmiquerybin |row 3, col 2 |row 3, col 3 |row 3, col 4 |row 3, col 5 |row 3, col 6 |- !Total | |15.00 |} == jumbled examples == cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm cpmiquerybin object "" network_objects "type='gateway'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members from cluster object name''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' or cpmiquerybin attr "" network_objects "name='KEBNC2SPB01_02_Cluster'" -a cluster_members '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='glb_IPBlock-12-69889'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ List log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 64 63 2013-04-20T23:52:58Z Nighthawk 1 /* jumbled examples */ wikitext text/x-wiki == Usage == #'''cpmiquerybin''' <query_result_type> <database> <ta ble> <query> [-a <attributes_list>] {| cellspacing="5" border="1" ! align="left"|command ! <query_result_type> ! <database> ! <t able> ! <query> ! [-a <attribute_list>] ! description |- |cpmiquerybin |attr |"mdsdb" |row 1, col 4 |row 1, col 5 |row 1, col 6 |- |cpmiquerybin |row 2, col 2 |row 2, col 3 |row 2, col 4 |row 2, col 5 |row 2, col 6 |- |cpmiquerybin |row 3, col 2 |row 3, col 3 |row 3, col 4 |row 3, col 5 |row 3, col 6 |- !Total | |15.00 |} == jumbled examples == cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm cpmiquerybin object "" network_objects "type='gateway'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members by parsing the cluster objects''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='glb_IPBlock-12-69889'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ List log servers from CMA env (lists CMAs too usually) cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 63 31 2013-04-20T23:52:07Z Nighthawk 1 wikitext text/x-wiki == Usage == #'''cpmiquerybin''' <query_result_type> <database> <ta ble> <query> [-a <attributes_list>] {| cellspacing="5" border="1" ! align="left"|command ! <query_result_type> ! <database> ! <t able> ! <query> ! [-a <attribute_list>] ! description |- |cpmiquerybin |attr |"mdsdb" |row 1, col 4 |row 1, col 5 |row 1, col 6 |- |cpmiquerybin |row 2, col 2 |row 2, col 3 |row 2, col 4 |row 2, col 5 |row 2, col 6 |- |cpmiquerybin |row 3, col 2 |row 3, col 3 |row 3, col 4 |row 3, col 5 |row 3, col 6 |- !Total | |15.00 |} == jumbled examples == cpmiquerybin attr "" network_objects "log_server='true'" -a __name__,ipaddr cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm cpmiquerybin object "" network_objects "type='gateway'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members by parsing the cluster objects''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='glb_IPBlock-12-69889'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] 31 2013-02-26T00:29:49Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == Usage == #'''cpmiquerybin''' <query_result_type> <database> <ta ble> <query> [-a <attributes_list>] {| cellspacing="5" border="1" ! align="left"|command ! <query_result_type> ! <database> ! <t able> ! <query> ! [-a <attribute_list>] ! description |- |cpmiquerybin |attr |"mdsdb" |row 1, col 4 |row 1, col 5 |row 1, col 6 |- |cpmiquerybin |row 2, col 2 |row 2, col 3 |row 2, col 4 |row 2, col 5 |row 2, col 6 |- |cpmiquerybin |row 3, col 2 |row 3, col 3 |row 3, col 4 |row 3, col 5 |row 3, col 6 |- !Total | |15.00 |} == jumbled examples == cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm cpmiquerybin object "" network_objects "type='gateway'"|grep -E ":name|spoof" cpmiquerybin object "mdsdb" pv1_administrators "" cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm | awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' '''get name of all objects of type cluster member''' cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__ '''To get a list of names of all VALID cluster members by parsing the cluster objects''' cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g' '''query all objects for an ip address''' cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr from cma env, list management/cma objects # cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr '''All members of a group''' cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name" '''All members of a group formatted''' cpmiquerybin object "" network_objects "name='glb_IPBlock-12-69889'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//' List services with 'Match for Any' ticked cpmiquerybin attr "" services "include_in_any='true'" -a __name__ == MDS queries == list all MDSs cpmiquerybin attr "mdsdb" mdss "" -a __name__ list primary MDS cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__ get IP for CLM name cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr get CMA policy names cpmiquerybin attr "" fw_policies "" -a __name__ == Tables == queryable tables can be gleaned from tables.C cat tables.C |grep ": (" == Default Queries for mdsquerydb== mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin. $MDSDIR/conf/queries.conf # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__ CMA "" Policies object fw_policies "" [[category:check point]] cpmiquerybin on SmartCenter server 0 141 376 375 2014-03-15T20:45:07Z Nighthawk 1 /* set environment variables */ wikitext text/x-wiki cpmiquerybin is a useful tool found on Check Point Provider-1 servers. Ever wish you had it on a SmartCenter? Well, you can. Copy the cpmiquerybin from a Provider-1 (OF THE SAME Check Point VERSION) to your SmartCenter. == set environment variables == add the following lines to $CPDIR/tmp/.CPprofile.sh, replace the 192.168.1.10 with whatever your SmartCenter IP address is. MSP_SOMEIP_ADDR="192.168.1.10"; export MSP_SOMEIP_ADDR MDSDIR="/opt/CPshrd-R75.40"; export MDSDIR source it to make them take effect... [Expert@ckkpmgr]# '''source $CPDIR/tmp/.CPprofile.sh ''' == successful test run == [Expert@ckkpmgr]# '''cpmiquerybin attr "" network_objects "name='LocalMachine'" -a __name__''' get_cust_name: couldn't find /customers/ within fwdir LocalMachine The error concerning the customers dir is annoying. I tried to make some dummy dirs to fake it out... mkdir /opt/CPsuite-R75.40/fw1/customers mkdir /opt/CPsuite-R75.40/fw1/customers/dummy mkdir /opt/CPshrd-R75.40/customers mkdir /opt/CPshrd-R75.40/customers/dummy but it didn't work... so, best to use a function. == use a function to filter out get_cust_name error == add a global function to /etc/bashrc function cpquery() { /usr/local/bin/cpmiquerybin "$@" 2>&1 | grep -v "get_cust_name: couldn't find";} source it... [Expert@ckkpmgr]# '''source /etc/bashrc''' The function above redirects stderr to stdout and filters out the error message string. Use the function '''cpquery''' at the shell command line in place of cpmiquerybin. You aren't supposed to use aliases in scripts, maybe you can use the global function? or you can define the function in all your scripts. another test run... [Expert@ckkpmgr]# '''cpquery attr "" network_objects "name='LocalMachine'" -a __name__''' LocalMachine no more error! [[category:cpmi]] 375 374 2014-03-15T20:44:56Z Nighthawk 1 /* use a function to filter out get_cust_name error */ wikitext text/x-wiki cpmiquerybin is a useful tool found on Check Point Provider-1 servers. Ever wish you had it on a SmartCenter? Well, you can. Copy the cpmiquerybin from a Provider-1 (OF THE SAME Check Point VERSION) to your SmartCenter. == set environment variables == add the following lines to $CPDIR/tmp/.CPprofile.sh, replace the 192.168.1.10 with whatever your SmartCenter IP address is. MSP_SOMEIP_ADDR="192.168.1.10"; export MSP_SOMEIP_ADDR MDSDIR="/opt/CPshrd-R75.40"; export MDSDIR source it to make them take effect... [Expert@ckkpmgr]# source $CPDIR/tmp/.CPprofile.sh == successful test run == [Expert@ckkpmgr]# '''cpmiquerybin attr "" network_objects "name='LocalMachine'" -a __name__''' get_cust_name: couldn't find /customers/ within fwdir LocalMachine The error concerning the customers dir is annoying. I tried to make some dummy dirs to fake it out... mkdir /opt/CPsuite-R75.40/fw1/customers mkdir /opt/CPsuite-R75.40/fw1/customers/dummy mkdir /opt/CPshrd-R75.40/customers mkdir /opt/CPshrd-R75.40/customers/dummy but it didn't work... so, best to use a function. == use a function to filter out get_cust_name error == add a global function to /etc/bashrc function cpquery() { /usr/local/bin/cpmiquerybin "$@" 2>&1 | grep -v "get_cust_name: couldn't find";} source it... [Expert@ckkpmgr]# '''source /etc/bashrc''' The function above redirects stderr to stdout and filters out the error message string. Use the function '''cpquery''' at the shell command line in place of cpmiquerybin. You aren't supposed to use aliases in scripts, maybe you can use the global function? or you can define the function in all your scripts. another test run... [Expert@ckkpmgr]# '''cpquery attr "" network_objects "name='LocalMachine'" -a __name__''' LocalMachine no more error! [[category:cpmi]] 374 373 2014-03-15T20:44:47Z Nighthawk 1 /* use a function to filter out get_cust_name error */ wikitext text/x-wiki cpmiquerybin is a useful tool found on Check Point Provider-1 servers. Ever wish you had it on a SmartCenter? Well, you can. Copy the cpmiquerybin from a Provider-1 (OF THE SAME Check Point VERSION) to your SmartCenter. == set environment variables == add the following lines to $CPDIR/tmp/.CPprofile.sh, replace the 192.168.1.10 with whatever your SmartCenter IP address is. MSP_SOMEIP_ADDR="192.168.1.10"; export MSP_SOMEIP_ADDR MDSDIR="/opt/CPshrd-R75.40"; export MDSDIR source it to make them take effect... [Expert@ckkpmgr]# source $CPDIR/tmp/.CPprofile.sh == successful test run == [Expert@ckkpmgr]# '''cpmiquerybin attr "" network_objects "name='LocalMachine'" -a __name__''' get_cust_name: couldn't find /customers/ within fwdir LocalMachine The error concerning the customers dir is annoying. I tried to make some dummy dirs to fake it out... mkdir /opt/CPsuite-R75.40/fw1/customers mkdir /opt/CPsuite-R75.40/fw1/customers/dummy mkdir /opt/CPshrd-R75.40/customers mkdir /opt/CPshrd-R75.40/customers/dummy but it didn't work... so, best to use a function. == use a function to filter out get_cust_name error == add a global function to /etc/bashrc function cpquery() { /usr/local/bin/cpmiquerybin "$@" 2>&1 | grep -v "get_cust_name: couldn't find";} source it... [Expert@ckkpmgr]# source /etc/bashrc The function above redirects stderr to stdout and filters out the error message string. Use the function '''cpquery''' at the shell command line in place of cpmiquerybin. You aren't supposed to use aliases in scripts, maybe you can use the global function? or you can define the function in all your scripts. another test run... [Expert@ckkpmgr]# '''cpquery attr "" network_objects "name='LocalMachine'" -a __name__''' LocalMachine no more error! [[category:cpmi]] 373 372 2014-03-15T20:35:19Z Nighthawk 1 /* use a function to filter out get_cust_name error */ wikitext text/x-wiki cpmiquerybin is a useful tool found on Check Point Provider-1 servers. Ever wish you had it on a SmartCenter? Well, you can. Copy the cpmiquerybin from a Provider-1 (OF THE SAME Check Point VERSION) to your SmartCenter. == set environment variables == add the following lines to $CPDIR/tmp/.CPprofile.sh, replace the 192.168.1.10 with whatever your SmartCenter IP address is. MSP_SOMEIP_ADDR="192.168.1.10"; export MSP_SOMEIP_ADDR MDSDIR="/opt/CPshrd-R75.40"; export MDSDIR source it to make them take effect... [Expert@ckkpmgr]# source $CPDIR/tmp/.CPprofile.sh == successful test run == [Expert@ckkpmgr]# '''cpmiquerybin attr "" network_objects "name='LocalMachine'" -a __name__''' get_cust_name: couldn't find /customers/ within fwdir LocalMachine The error concerning the customers dir is annoying. I tried to make some dummy dirs to fake it out... mkdir /opt/CPsuite-R75.40/fw1/customers mkdir /opt/CPsuite-R75.40/fw1/customers/dummy mkdir /opt/CPshrd-R75.40/customers mkdir /opt/CPshrd-R75.40/customers/dummy but it didn't work... so, best to use a function. == use a function to filter out get_cust_name error == add a global function to /etc/profile function cpquery() { /usr/local/bin/cpmiquerybin "$@" 2>&1 | grep -v "get_cust_name: couldn't find";} The function above redirects stderr to stdout and filters out the error message string. Use the function '''cpquery''' at the shell command line in place of cpmiquerybin. You aren't supposed to use aliases in scripts, maybe you can use the global function? or you can define the function in all your scripts. another test run... [Expert@ckkpmgr]# '''cpquery attr "" network_objects "name='LocalMachine'" -a __name__''' LocalMachine no more error! [[category:cpmi]] 372 369 2014-03-15T20:34:04Z Nighthawk 1 /* use a function to filter out get_cust_name error */ wikitext text/x-wiki cpmiquerybin is a useful tool found on Check Point Provider-1 servers. Ever wish you had it on a SmartCenter? Well, you can. Copy the cpmiquerybin from a Provider-1 (OF THE SAME Check Point VERSION) to your SmartCenter. == set environment variables == add the following lines to $CPDIR/tmp/.CPprofile.sh, replace the 192.168.1.10 with whatever your SmartCenter IP address is. MSP_SOMEIP_ADDR="192.168.1.10"; export MSP_SOMEIP_ADDR MDSDIR="/opt/CPshrd-R75.40"; export MDSDIR source it to make them take effect... [Expert@ckkpmgr]# source $CPDIR/tmp/.CPprofile.sh == successful test run == [Expert@ckkpmgr]# '''cpmiquerybin attr "" network_objects "name='LocalMachine'" -a __name__''' get_cust_name: couldn't find /customers/ within fwdir LocalMachine The error concerning the customers dir is annoying. I tried to make some dummy dirs to fake it out... mkdir /opt/CPsuite-R75.40/fw1/customers mkdir /opt/CPsuite-R75.40/fw1/customers/dummy mkdir /opt/CPshrd-R75.40/customers mkdir /opt/CPshrd-R75.40/customers/dummy but it didn't work... so, best to use a function. == use a function to filter out get_cust_name error == add a global function to /etc/profile function cpquery() { /usr/local/bin/cpmiquerybin "$@" 2>&1 | grep -v "get_cust_name: couldn't find";} then, use the function cpquery at the shell command line in place of cpmiquerybin. You aren't supposed to use aliases in scripts, maybe you can use the global function? or you can define the function in all your scripts. another test run... [Expert@ckkpmgr]# '''cpquery attr "" network_objects "name='LocalMachine'" -a __name__''' LocalMachine no more error! [[category:cpmi]] 369 368 2014-03-15T20:24:40Z Nighthawk 1 wikitext text/x-wiki cpmiquerybin is a useful tool found on Check Point Provider-1 servers. Ever wish you had it on a SmartCenter? Well, you can. Copy the cpmiquerybin from a Provider-1 (OF THE SAME Check Point VERSION) to your SmartCenter. == set environment variables == add the following lines to $CPDIR/tmp/.CPprofile.sh, replace the 192.168.1.10 with whatever your SmartCenter IP address is. MSP_SOMEIP_ADDR="192.168.1.10"; export MSP_SOMEIP_ADDR MDSDIR="/opt/CPshrd-R75.40"; export MDSDIR source it to make them take effect... [Expert@ckkpmgr]# source $CPDIR/tmp/.CPprofile.sh == successful test run == [Expert@ckkpmgr]# '''cpmiquerybin attr "" network_objects "name='LocalMachine'" -a __name__''' get_cust_name: couldn't find /customers/ within fwdir LocalMachine The error concerning the customers dir is annoying. I tried to make some dummy dirs to fake it out... mkdir /opt/CPsuite-R75.40/fw1/customers mkdir /opt/CPsuite-R75.40/fw1/customers/dummy mkdir /opt/CPshrd-R75.40/customers mkdir /opt/CPshrd-R75.40/customers/dummy but it didn't work... so, best to use a function. == use a function to filter out get_cust_name error == add a global function to /etc/profile function cpquery() { /usr/local/bin/cpmiquerybin "$@" 2>&1 | grep -v "get_cust_name: couldn't find";} then, use the function cpquery at the shell command line in place of cpmiquerybin. You aren't supposed to use aliases in scripts, maybe you can use the global function? or you can define the function in all your scripts. [[category:cpmi]] 368 367 2014-03-15T20:23:57Z Nighthawk 1 /* set environment variables */ wikitext text/x-wiki cpmiquerybin is a useful tool found on Check Point Provider-1 servers. Ever wish you had it on a SmartCenter? Well, you can. Copy the cpmiquerybin from a Provider-1 (OF THE SAME Check Point VERSION) to your SmartCenter. == set environment variables == add the following lines to $CPDIR/tmp/.CPprofile.sh, replace the 192.168.1.10 with whatever your SmartCenter IP address is. MSP_SOMEIP_ADDR="192.168.1.10"; export MSP_SOMEIP_ADDR MDSDIR="/opt/CPshrd-R75.40"; export MDSDIR source it to make them take effect... [Expert@ckkpmgr]# source $CPDIR/tmp/.CPprofile.sh == successful test run == [Expert@ckkpmgr]# '''cpmiquerybin attr "" network_objects "name='LocalMachine'" -a __name__''' get_cust_name: couldn't find /customers/ within fwdir LocalMachine The error concerning the customers dir is annoying. I tried to make some dummy dirs to fake it out... mkdir /opt/CPsuite-R75.40/fw1/customers mkdir /opt/CPsuite-R75.40/fw1/customers/dummy mkdir /opt/CPshrd-R75.40/customers mkdir /opt/CPshrd-R75.40/customers/dummy but it didn't work... so, best to use a function. == use a function to filter out get_cust_name error == add a global function to /etc/profile function cpquery() { /usr/local/bin/cpmiquerybin "$@" 2>&1 | grep -v "get_cust_name: couldn't find";} then, use the function cpquery at the shell command line in place of cpmiquerybin. You aren't supposed to use aliases in scripts, maybe you can use the global function? or you can define the function in all your scripts. 367 366 2014-03-15T20:23:37Z Nighthawk 1 /* set environment variables */ wikitext text/x-wiki cpmiquerybin is a useful tool found on Check Point Provider-1 servers. Ever wish you had it on a SmartCenter? Well, you can. Copy the cpmiquerybin from a Provider-1 (OF THE SAME Check Point VERSION) to your SmartCenter. == set environment variables == add the following lines to $CPDIR/tmp/.CPprofile.sh, replace the 192.168.1.10 with whatever your SmartCenter IP address is. MSP_SOMEIP_ADDR="192.168.1.10"; export MSP_SOMEIP_ADDR MDSDIR="/opt/CPshrd-R75.40"; export MDSDIR source it to make them take effect... [Expert@ckkpmgr]# source $CPDIR/tmp/.CPprofile.sh or logout / login == successful test run == [Expert@ckkpmgr]# '''cpmiquerybin attr "" network_objects "name='LocalMachine'" -a __name__''' get_cust_name: couldn't find /customers/ within fwdir LocalMachine The error concerning the customers dir is annoying. I tried to make some dummy dirs to fake it out... mkdir /opt/CPsuite-R75.40/fw1/customers mkdir /opt/CPsuite-R75.40/fw1/customers/dummy mkdir /opt/CPshrd-R75.40/customers mkdir /opt/CPshrd-R75.40/customers/dummy but it didn't work... so, best to use a function. == use a function to filter out get_cust_name error == add a global function to /etc/profile function cpquery() { /usr/local/bin/cpmiquerybin "$@" 2>&1 | grep -v "get_cust_name: couldn't find";} then, use the function cpquery at the shell command line in place of cpmiquerybin. You aren't supposed to use aliases in scripts, maybe you can use the global function? or you can define the function in all your scripts. 366 365 2014-03-15T20:22:44Z Nighthawk 1 wikitext text/x-wiki cpmiquerybin is a useful tool found on Check Point Provider-1 servers. Ever wish you had it on a SmartCenter? Well, you can. Copy the cpmiquerybin from a Provider-1 (OF THE SAME Check Point VERSION) to your SmartCenter. == set environment variables == add the following lines to $CPDIR/tmp/.CPprofile.sh MSP_SOMEIP_ADDR="192.168.1.10"; export MSP_SOMEIP_ADDR MDSDIR="/opt/CPshrd-R75.40"; export MDSDIR source it to make them take effect... [Expert@ckkpmgr]# source $CPDIR/tmp/.CPprofile.sh or logout / login == successful test run == [Expert@ckkpmgr]# '''cpmiquerybin attr "" network_objects "name='LocalMachine'" -a __name__''' get_cust_name: couldn't find /customers/ within fwdir LocalMachine The error concerning the customers dir is annoying. I tried to make some dummy dirs to fake it out... mkdir /opt/CPsuite-R75.40/fw1/customers mkdir /opt/CPsuite-R75.40/fw1/customers/dummy mkdir /opt/CPshrd-R75.40/customers mkdir /opt/CPshrd-R75.40/customers/dummy but it didn't work... so, best to use a function. == use a function to filter out get_cust_name error == add a global function to /etc/profile function cpquery() { /usr/local/bin/cpmiquerybin "$@" 2>&1 | grep -v "get_cust_name: couldn't find";} then, use the function cpquery at the shell command line in place of cpmiquerybin. You aren't supposed to use aliases in scripts, maybe you can use the global function? or you can define the function in all your scripts. 365 2014-03-15T20:20:04Z Nighthawk 1 Created page with "cpmiquerybin is a useful tool found on Check Point Provider-1 servers. Ever wish you had it on a SmartCenter? Well, you can. Copy the cpmiquerybin from a Provider-1 (OF THE..." wikitext text/x-wiki cpmiquerybin is a useful tool found on Check Point Provider-1 servers. Ever wish you had it on a SmartCenter? Well, you can. Copy the cpmiquerybin from a Provider-1 (OF THE SAME Check Point VERSION) to your SmartCenter. set environment variables add the following lines to $CPDIR/tmp/.CPprofile.sh MSP_SOMEIP_ADDR="192.168.1.10"; export MSP_SOMEIP_ADDR MDSDIR="/opt/CPshrd-R75.40"; export MDSDIR [Expert@ckkpmgr]# '''source $CPDIR/tmp/.CPprofile.sh''' successful test run [Expert@ckkpmgr]# '''cpmiquerybin attr "" network_objects "name='LocalMachine'" -a __name__''' get_cust_name: couldn't find /customers/ within fwdir LocalMachine The error concerning the customers dir is annoying. I tried to make some dummy dirs to fake it out... mkdir /opt/CPsuite-R75.40/fw1/customers mkdir /opt/CPsuite-R75.40/fw1/customers/dummy mkdir /opt/CPshrd-R75.40/customers mkdir /opt/CPshrd-R75.40/customers/dummy but it didn't work... so, best to use a function. add a global function to /etc/profile function cpquery() { /usr/local/bin/cpmiquerybin "$@" 2>&1 | grep -v "get_cust_name: couldn't find";} then, use the function cpquery at the shell command line in place of cpmiquerybin. You aren't supposed to use aliases in scripts, maybe you can use the global function? or you can define the function in all your scripts. cpstat examples 0 195 589 588 2016-06-15T04:43:29Z Nighthawk 1 wikitext text/x-wiki [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f policy fw Product name: Firewall Policy name: Standard Policy install time: Fri Jun 10 15:31:13 2016 Num. connections: 11 Peak num. connections: 35 Connections capacity limit: 0 Total accepted packets: 5566405 Total dropped packets: 0 Total rejected packets: 0 Total accepted bytes: 3426062164 Total dropped bytes: 0 Total rejected bytes: 0 Total logged: 8518 Interface table ------------------------------------ |Name|Dir|Accept |Drop |Reject|Log | ------------------------------------ | eth0|in |3276782| 4894| 0|7379| | eth0|out|1376700| 1| 0| 1| |eth1|in | 872610| 6836| 0|1056| |eth1|out| 25708| 0| 0| 0| |eth2|in | 14461| 0| 0| 0| |eth2|out| 143| 0| 0| 0| ------------------------------------ | | |5566404|11731| 0|8436| ------------------------------------ [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 ha Product name: High Availability Version: N/A Status: OK HA installed: 1 Working mode: Sync only (OPSEC) HA started: yes [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 blades Packets accepted : 5567773 Packets dropped : 0 Peak number of connections: 35 Number of connections: 9 Top Rule Hits ----------------------- |rule index|rule count| ----------------------- |Rule 0 | 15251| |Rule 3 | 6139| |Rule 5 | 1311| |Rule 1 | 6| ----------------------- [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f log_connection fw Corrupted reply: Columns are not of same length. [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f multi_cpu os Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 1| 1| 98| 2| ?| 4098| | 2| 0| 1| 99| 1| ?| 4098| | 3| 6| 2| 93| 7| ?| 4098| | 4| 0| 0| 99| 1| ?| 4099| --------------------------------------------------------------------------------- [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f connectivity os Connectivity to User Center: - [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f perf os Total Virtual Memory (Bytes): 4201517056 Active Virtual Memory (Bytes): 335167488 Total Real Memory (Bytes): 985444352 Active Real Memory (Bytes): 335093760 Free Real Memory (Bytes): 650350592 Memory Swaps/Sec: - Memory To Disk Transfers/Sec: - CPU User Time (%): 0 CPU System Time (%): 1 CPU Idle Time (%): 99 CPU Usage (%): 1 CPU Queue Length: - CPU Interrupts/Sec: 996 CPUs Number: 4 Disk Servicing Read\Write Requests Time: - Disk Requests Queue: - Disk Free Space (%): 66 Disk Total Free Space (Bytes): 8332877824 Disk Available Free Space (Bytes): 7688634368 Disk Total Space (Bytes): 12481380352 [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f sync fw sync - configured: Yes sync - out state: On sync - in state: On sync - number of sent packets: 114550 sync - number of Kbytes sent: 27052 sync - number of packets received: 93019 sync - number of Kbytes received: 56304 sync - number of retrans requests sent: 0 sync - number of retrans requests received: 0 sync - number of ack packets sent: 3 sync - number of ack packets received: 3 sync - number of packets dropped by network: 0 sync - overall number of table updates to be synced: 553440 sync - number of updates filtered by 'non sync': 262792 [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f inspect fw Product name: Firewall inspect - packets: 0 inspect - operations: 0 inspect - lookups: 0 inspect - record: 0 inspect - extract: 0 [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f sensors os 205e7f9cfa4457b9ca28e2a92dc972a364c386db 588 2016-06-15T04:40:36Z Nighthawk 1 Created page with " [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f policy fw Product name: Firewall Policy name: Standard Policy install time: Fri Jun 10 1..." wikitext text/x-wiki [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f policy fw Product name: Firewall Policy name: Standard Policy install time: Fri Jun 10 15:31:13 2016 Num. connections: 11 Peak num. connections: 35 Connections capacity limit: 0 Total accepted packets: 5566405 Total dropped packets: 0 Total rejected packets: 0 Total accepted bytes: 3426062164 Total dropped bytes: 0 Total rejected bytes: 0 Total logged: 8518 Interface table ------------------------------------ |Name|Dir|Accept |Drop |Reject|Log | ------------------------------------ |eth0|in |3276782| 4894| 0|7379| |eth0|out|1376700| 1| 0| 1| |eth1|in | 872610| 6836| 0|1056| |eth1|out| 25708| 0| 0| 0| |eth2|in | 14461| 0| 0| 0| |eth2|out| 143| 0| 0| 0| ------------------------------------ | | |5566404|11731| 0|8436| ------------------------------------ [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 ha Product name: High Availability Version: N/A Status: OK HA installed: 1 Working mode: Sync only (OPSEC) HA started: yes [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 blades Packets accepted : 5567773 Packets dropped : 0 Peak number of connections: 35 Number of connections: 9 Top Rule Hits ----------------------- |rule index|rule count| ----------------------- |Rule 0 | 15251| |Rule 3 | 6139| |Rule 5 | 1311| |Rule 1 | 6| ----------------------- [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f log_connection fw Corrupted reply: Columns are not of same length. [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f multi_cpu os Processors load --------------------------------------------------------------------------------- |CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec| --------------------------------------------------------------------------------- | 1| 1| 1| 98| 2| ?| 4098| | 2| 0| 1| 99| 1| ?| 4098| | 3| 6| 2| 93| 7| ?| 4098| | 4| 0| 0| 99| 1| ?| 4099| --------------------------------------------------------------------------------- [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f connectivity os Connectivity to User Center: - [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f perf os Total Virtual Memory (Bytes): 4201517056 Active Virtual Memory (Bytes): 335167488 Total Real Memory (Bytes): 985444352 Active Real Memory (Bytes): 335093760 Free Real Memory (Bytes): 650350592 Memory Swaps/Sec: - Memory To Disk Transfers/Sec: - CPU User Time (%): 0 CPU System Time (%): 1 CPU Idle Time (%): 99 CPU Usage (%): 1 CPU Queue Length: - CPU Interrupts/Sec: 996 CPUs Number: 4 Disk Servicing Read\Write Requests Time: - Disk Requests Queue: - Disk Free Space (%): 66 Disk Total Free Space (Bytes): 8332877824 Disk Available Free Space (Bytes): 7688634368 Disk Total Space (Bytes): 12481380352 [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f sync fw sync - configured: Yes sync - out state: On sync - in state: On sync - number of sent packets: 114550 sync - number of Kbytes sent: 27052 sync - number of packets received: 93019 sync - number of Kbytes received: 56304 sync - number of retrans requests sent: 0 sync - number of retrans requests received: 0 sync - number of ack packets sent: 3 sync - number of ack packets received: 3 sync - number of packets dropped by network: 0 sync - overall number of table updates to be synced: 553440 sync - number of updates filtered by 'non sync': 262792 [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f inspect fw Product name: Firewall inspect - packets: 0 inspect - operations: 0 inspect - lookups: 0 inspect - record: 0 inspect - extract: 0 [Expert@chkpmgr3:0]# cpstat -h 192.168.175.2 -f sensors os 3401dc7a2aff9d450e84bc64cb28dcd119ebdc76 cpuse deployment agent 0 206 885 824 2023-10-23T23:01:54Z Nighthawk 1 /* how do perform and offline upgrades */ wikitext text/x-wiki ==checking current version== # '''cpvinfo $DADIR/bin/DAService | grep -A 4 -E "Name = DeploymentAgent"''' Module Name = DeploymentAgent Build Number = 747 Major Release = NGX Minor Release = cpuse_geyser_ga Release Number = 5.0.5 ==downloading the latest cpuse deployment agent== a download link to the latest cpuse is found in [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92449&partition=General&product=All%22 sk92449] on the user center ==check currently installed version== cpvinfo $DADIR/bin/DAService | grep Build ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse [Expert@chkpmds1:0]# '''rpm -e CPda-00-00''' /opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE cpwd_admin: successful Del operation # install new cpuse Expert@chkpmds1:0]# '''rpm -ivh ./CPda-00-00.i386.rpm''' Preparing... ########################################### [100%] cpwd_admin: Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts Trying to stop DAService for 60 seconds - please wait... Error: DAService is not running. Waiting for DAService to stop... Error: DAService is not running. *** note: it is typical to see the above message many times == restarting clishd== To Stop [Expert@HostName]# '''tellpm process:clishd''' To Start [Expert@HostName]# '''tellpm process:clishd t''' start agent # clish -c "installer agent start" upgrade should be completed. 74c5282cc70fc0a2d7f2d6eee2e0eba523fd94d4 824 715 2018-10-02T12:49:06Z Nighthawk 1 wikitext text/x-wiki ==checking current version== # '''cpvinfo $DADIR/bin/DAService | grep -A 4 -E "Name = DeploymentAgent"''' Module Name = DeploymentAgent Build Number = 747 Major Release = NGX Minor Release = cpuse_geyser_ga Release Number = 5.0.5 ==downloading the latest cpuse deployment agent== a download link to the latest cpuse is found in [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92449&partition=General&product=All%22 sk92449] on the user center ==check currently installed version== cpvinfo $DADIR/bin/DAService | grep Build ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse [Expert@chkpmds1:0]# '''rpm -e CPda-00-00''' /opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE cpwd_admin: successful Del operation # install new cpuse Expert@chkpmds1:0]# '''rpm -ivh ./CPda-00-00.i386.rpm''' Preparing... ########################################### [100%] cpwd_admin: Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts Trying to stop DAService for 60 seconds - please wait... Error: DAService is not running. Waiting for DAService to stop... Error: DAService is not running. == restarting clishd== To Stop [Expert@HostName]# '''tellpm process:clishd''' To Start [Expert@HostName]# '''tellpm process:clishd t''' start agent # clish -c "installer agent start" upgrade should be completed. 2ffcafdd404a05e51e21d63cd68c3189e8c893a4 715 657 2018-02-06T15:50:50Z Nighthawk 1 wikitext text/x-wiki ==downloading the latest cpuse deployment agent== a download link to the latest cpuse is found in [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92449&partition=General&product=All%22 sk92449] on the user center ==check currently installed version== cpvinfo $DADIR/bin/DAService | grep Build ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse [Expert@chkpmds1:0]# '''rpm -e CPda-00-00''' /opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE cpwd_admin: successful Del operation # install new cpuse Expert@chkpmds1:0]# '''rpm -ivh ./CPda-00-00.i386.rpm''' Preparing... ########################################### [100%] cpwd_admin: Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts Trying to stop DAService for 60 seconds - please wait... Error: DAService is not running. Waiting for DAService to stop... Error: DAService is not running. == restarting clishd== To Stop [Expert@HostName]# '''tellpm process:clishd''' To Start [Expert@HostName]# '''tellpm process:clishd t''' start agent # clish -c "installer agent start" upgrade should be completed. 2639e8515d7ff51024a5d52f8bc8e9323393531f 657 650 2017-05-24T03:39:25Z Nighthawk 1 /* restarting clishd */ wikitext text/x-wiki ==downloading the latest cpuse deployment agent== a download link to the latest cpuse is found in sk92449 on the user center ==check currently installed version== cpvinfo $DADIR/bin/DAService | grep Build ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse [Expert@chkpmds1:0]# '''rpm -e CPda-00-00''' /opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE cpwd_admin: successful Del operation # install new cpuse Expert@chkpmds1:0]# '''rpm -ivh ./CPda-00-00.i386.rpm''' Preparing... ########################################### [100%] cpwd_admin: Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts Trying to stop DAService for 60 seconds - please wait... Error: DAService is not running. Waiting for DAService to stop... Error: DAService is not running. == restarting clishd== To Stop [Expert@HostName]# '''tellpm process:clishd''' To Start [Expert@HostName]# '''tellpm process:clishd t''' start agent # clish -c "installer agent start" upgrade should be completed. 5a2f3944af0028ddc5ed10763e2baed7f0475f78 650 649 2017-05-05T01:54:54Z Nighthawk 1 /* restarting clishd */ wikitext text/x-wiki ==downloading the latest cpuse deployment agent== a download link to the latest cpuse is found in sk92449 on the user center ==check currently installed version== cpvinfo $DADIR/bin/DAService | grep Build ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse [Expert@chkpmds1:0]# '''rpm -e CPda-00-00''' /opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE cpwd_admin: successful Del operation # install new cpuse Expert@chkpmds1:0]# '''rpm -ivh ./CPda-00-00.i386.rpm''' Preparing... ########################################### [100%] cpwd_admin: Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts Trying to stop DAService for 60 seconds - please wait... Error: DAService is not running. Waiting for DAService to stop... Error: DAService is not running. == restarting clishd== To Stop [Expert@HostName]# '''tellpm process:clishd''' To Start [Expert@HostName]# '''tellpm process:clishd t''' work in progress... 029d0865da4dbd2ce9a39d21d72922486d562c1d 649 648 2017-05-05T01:49:10Z Nighthawk 1 /* how do perform and offline upgrades */ wikitext text/x-wiki ==downloading the latest cpuse deployment agent== a download link to the latest cpuse is found in sk92449 on the user center ==check currently installed version== cpvinfo $DADIR/bin/DAService | grep Build ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse [Expert@chkpmds1:0]# '''rpm -e CPda-00-00''' /opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE cpwd_admin: successful Del operation # install new cpuse Expert@chkpmds1:0]# '''rpm -ivh ./CPda-00-00.i386.rpm''' Preparing... ########################################### [100%] cpwd_admin: Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts Trying to stop DAService for 60 seconds - please wait... Error: DAService is not running. Waiting for DAService to stop... Error: DAService is not running. == restarting clishd== To Stop [Expert@HostName]# tellpm process:clishd To Start [Expert@HostName]# tellpm process:clishd t work in progress... 53d8e5e5aaadb90d3e2b6ad19834e48617ac960b 648 647 2017-05-05T01:48:00Z Nighthawk 1 Nighthawk moved page [[cpuse agent]] to [[cpuse deployment agent]] without leaving a redirect wikitext text/x-wiki ==downloading the latest cpuse deployment agent== a download link to the latest cpuse is found in sk92449 on the user center ==check currently installed version== cpvinfo $DADIR/bin/DAService | grep Build ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse [Expert@chkpmds1:0]# rpm -e CPda-00-00 /opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE cpwd_admin: successful Del operation # install new cpuse Expert@chkpmds1:0]# rpm -ivh ./CPda-00-00.i386.rpm Preparing... ########################################### [100%] cpwd_admin: Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts Trying to stop DAService for 60 seconds - please wait... Error: DAService is not running. Waiting for DAService to stop... Error: DAService is not running. == restarting clishd== To Stop [Expert@HostName]# tellpm process:clishd To Start [Expert@HostName]# tellpm process:clishd t work in progress... fe1edb26883d14847f18060cc7453bf1bea7498a 647 646 2017-05-05T01:47:48Z Nighthawk 1 /* downloading the latest cpuse */ wikitext text/x-wiki ==downloading the latest cpuse deployment agent== a download link to the latest cpuse is found in sk92449 on the user center ==check currently installed version== cpvinfo $DADIR/bin/DAService | grep Build ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse [Expert@chkpmds1:0]# rpm -e CPda-00-00 /opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE cpwd_admin: successful Del operation # install new cpuse Expert@chkpmds1:0]# rpm -ivh ./CPda-00-00.i386.rpm Preparing... ########################################### [100%] cpwd_admin: Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts Trying to stop DAService for 60 seconds - please wait... Error: DAService is not running. Waiting for DAService to stop... Error: DAService is not running. == restarting clishd== To Stop [Expert@HostName]# tellpm process:clishd To Start [Expert@HostName]# tellpm process:clishd t work in progress... fe1edb26883d14847f18060cc7453bf1bea7498a 646 645 2017-05-05T01:45:20Z Nighthawk 1 /* check currently installed version */ wikitext text/x-wiki ==downloading the latest cpuse== a download link to the latest cpuse is found in sk92449 on the user center ==check currently installed version== cpvinfo $DADIR/bin/DAService | grep Build ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse [Expert@chkpmds1:0]# rpm -e CPda-00-00 /opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE cpwd_admin: successful Del operation # install new cpuse Expert@chkpmds1:0]# rpm -ivh ./CPda-00-00.i386.rpm Preparing... ########################################### [100%] cpwd_admin: Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts Trying to stop DAService for 60 seconds - please wait... Error: DAService is not running. Waiting for DAService to stop... Error: DAService is not running. == restarting clishd== To Stop [Expert@HostName]# tellpm process:clishd To Start [Expert@HostName]# tellpm process:clishd t work in progress... b0a2958beb56bcfbcbbf2219552da32f667f7d19 645 630 2017-05-05T01:42:10Z Nighthawk 1 wikitext text/x-wiki ==downloading the latest cpuse== a download link to the latest cpuse is found in sk92449 on the user center ==check currently installed version== cpvinfo $DADIR/bin/DAService | grep build number ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse [Expert@chkpmds1:0]# rpm -e CPda-00-00 /opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE cpwd_admin: successful Del operation # install new cpuse Expert@chkpmds1:0]# rpm -ivh ./CPda-00-00.i386.rpm Preparing... ########################################### [100%] cpwd_admin: Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts Trying to stop DAService for 60 seconds - please wait... Error: DAService is not running. Waiting for DAService to stop... Error: DAService is not running. == restarting clishd== To Stop [Expert@HostName]# tellpm process:clishd To Start [Expert@HostName]# tellpm process:clishd t work in progress... dade76e542d536218321cf7eb991b89fdcdc5a78 630 629 2017-04-26T17:26:11Z Nighthawk 1 wikitext text/x-wiki ==get currently installed version== cpvinfo $DADIR/bin/DAService | grep build number ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse [Expert@chkpmds1:0]# rpm -e CPda-00-00 /opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE cpwd_admin: successful Del operation # install new cpuse Expert@chkpmds1:0]# rpm -ivh ./CPda-00-00.i386.rpm Preparing... ########################################### [100%] cpwd_admin: Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts Trying to stop DAService for 60 seconds - please wait... Error: DAService is not running. Waiting for DAService to stop... Error: DAService is not running. == restarting clishd== To Stop [Expert@HostName]# tellpm process:clishd To Start [Expert@HostName]# tellpm process:clishd t work in progress... 8341af373b9cf797cfcdf8436de80216ef9d8a15 629 2017-04-25T15:15:08Z Nighthawk 1 Created page with " ==get currently installed version== cpvinfo $DADIR/bin/DAService | grep build number ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse ..." wikitext text/x-wiki ==get currently installed version== cpvinfo $DADIR/bin/DAService | grep build number ==how do perform and offline upgrades== # download the latest cpuse # uninstall cpuse [Expert@chkpmds1:0]# rpm -e CPda-00-00 /opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE cpwd_admin: successful Del operation # install new cpuse Expert@chkpmds1:0]# rpm -ivh ./CPda-00-00.i386.rpm Preparing... ########################################### [100%] cpwd_admin: Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts Trying to stop DAService for 60 seconds - please wait... Error: DAService is not running. Waiting for DAService to stop... Error: DAService is not running. work in progress... 22a8590b70aab0719bb9806f71ae5497d6131ff8 cpuse deployment agent logging 0 264 887 886 2023-10-24T02:18:00Z Nighthawk 1 wikitext text/x-wiki tail -f /opt/CPInstLog/DeploymentAgent.log 43827e2c38dafb168c36111261b06a15952dbf56 886 2023-10-24T02:16:41Z Nighthawk 1 Created page with "tail -f /opt/CPInstLog/DeploymentAgent.log" wikitext text/x-wiki tail -f /opt/CPInstLog/DeploymentAgent.log 51b0e30c0046b0f8172e044563cdde97fc9d256a cpuse notes 0 249 832 831 2019-07-18T15:40:43Z Nighthawk 1 wikitext text/x-wiki [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92449&partition=General&product=All%22 sk92449 - Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent] log file /opt/CPInstLog/DeploymentAgent.log 7aacf8c3a6ef2e4ffe83abd49ecd826060b423a4 831 2019-07-18T15:18:31Z Nighthawk 1 Created page with " log file /opt/CPInstLog/DeploymentAgent.log" wikitext text/x-wiki log file /opt/CPInstLog/DeploymentAgent.log 0e31d9c72b8920f40d7603645314c8ee760b6349 cpview log 0 190 860 859 2021-04-15T17:37:29Z Nighthawk 1 /* exporting the data */ wikitext text/x-wiki ==versions== R77 and above The table structure can change dramatically from version to version. For example the number of tables in the cpview database changed from 321 to 83 between r77.20 and r77.30. ==opening the database== We will query it with the sqlite3 utility. We don't use the cpview binary because it is too limited. [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat == example queries == === list tables === sqlite> .tables ===list columns=== sqlite> .schema fw_counters ===passing sqlite3 command via CLI=== [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat '.tables' ===query with start end times=== sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time,inbound_throughput/1048576/10 as MBS_IN,outbound_throughput/1048576/10 as MBS_OUT,concurrent_conns from fw_counters where time between "2016-01-05 00:00:00" and "2016-01-05 00:10:00"' ===check for high cpu (77.20?)=== sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time,name_of_cpu,cpu_usage from fw_counters where cpu_usage between "90" and "100" ' == cpu table == $ sqlite3 /var/log/CPView_history/CPViewDB.dat '.schema UM_STAT_UM_CPU_UM_CPU_ORDERED_TABLE' | tr ',' '\n' CREATE TABLE UM_STAT_UM_CPU_UM_CPU_ORDERED_TABLE (Timestamp INTEGER name_of_cpu INTEGER cpu_usage INTEGER cpu_usr_time INTEGER cpu_sys_time INTEGER cpu_idl_time INTEGER cpu_io_wait INTEGER cpu_interrupts INTEGER); ==exporting the data== [Expert@chkpfw1:0]# '''cpview history export''' Stopping the history daemon cpwd_admin: Process HISTORYD terminated cpwd_admin: successful Del operation Exporting the database Exported DB to /var/log/CPView_history/exported_db_15_04_2021_1222.gz Starting the history daemon cpwd_admin: Process HISTORYD started successfully (pid=9595) to view the oldest date and time of data available in a history file... [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time from fw_counters limit 1' 2021-04-07 05:32:28 c817da399ba5647eb08674211243666af31582da 859 717 2021-04-15T17:35:55Z Nighthawk 1 wikitext text/x-wiki ==versions== R77 and above The table structure can change dramatically from version to version. For example the number of tables in the cpview database changed from 321 to 83 between r77.20 and r77.30. ==opening the database== We will query it with the sqlite3 utility. We don't use the cpview binary because it is too limited. [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat == example queries == === list tables === sqlite> .tables ===list columns=== sqlite> .schema fw_counters ===passing sqlite3 command via CLI=== [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat '.tables' ===query with start end times=== sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time,inbound_throughput/1048576/10 as MBS_IN,outbound_throughput/1048576/10 as MBS_OUT,concurrent_conns from fw_counters where time between "2016-01-05 00:00:00" and "2016-01-05 00:10:00"' ===check for high cpu (77.20?)=== sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time,name_of_cpu,cpu_usage from fw_counters where cpu_usage between "90" and "100" ' == cpu table == $ sqlite3 /var/log/CPView_history/CPViewDB.dat '.schema UM_STAT_UM_CPU_UM_CPU_ORDERED_TABLE' | tr ',' '\n' CREATE TABLE UM_STAT_UM_CPU_UM_CPU_ORDERED_TABLE (Timestamp INTEGER name_of_cpu INTEGER cpu_usage INTEGER cpu_usr_time INTEGER cpu_sys_time INTEGER cpu_idl_time INTEGER cpu_io_wait INTEGER cpu_interrupts INTEGER); ==exporting the data== [Expert@chkpfw1:0]# '''cpview history export''' Stopping the history daemon cpwd_admin: Process HISTORYD terminated cpwd_admin: successful Del operation Exporting the database Exported DB to /var/log/CPView_history/exported_db_15_04_2021_1222.gz Starting the history daemon cpwd_admin: Process HISTORYD started successfully (pid=9595) 453203226fc8e6e36b4f353535574a73a7c7e10b 717 606 2018-03-01T15:20:24Z Nighthawk 1 /* check for high cpu */ wikitext text/x-wiki ==versions== R77 and above The table structure can change dramatically from version to version. For example the number of tables in the cpview database changed from 321 to 83 between r77.20 and r77.30. ==opening the database== We will query it with the sqlite3 utility. We don't use the cpview binary because it is too limited. [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat == example queries == === list tables === sqlite> .tables ===list columns=== sqlite> .schema fw_counters ===passing sqlite3 command via CLI=== [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat '.tables' ===query with start end times=== sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time,inbound_throughput/1048576/10 as MBS_IN,outbound_throughput/1048576/10 as MBS_OUT,concurrent_conns from fw_counters where time between "2016-01-05 00:00:00" and "2016-01-05 00:10:00"' ===check for high cpu (77.20?)=== sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time,name_of_cpu,cpu_usage from fw_counters where cpu_usage between "90" and "100" ' == cpu table == $ sqlite3 /var/log/CPView_history/CPViewDB.dat '.schema UM_STAT_UM_CPU_UM_CPU_ORDERED_TABLE' | tr ',' '\n' CREATE TABLE UM_STAT_UM_CPU_UM_CPU_ORDERED_TABLE (Timestamp INTEGER name_of_cpu INTEGER cpu_usage INTEGER cpu_usr_time INTEGER cpu_sys_time INTEGER cpu_idl_time INTEGER cpu_io_wait INTEGER cpu_interrupts INTEGER); 268601b5f7c5eddcd2f11640b93db5f3347796a6 606 603 2016-10-25T01:46:36Z Nighthawk 1 /* query with start end times */ wikitext text/x-wiki ==versions== R77 and above The table structure can change dramatically from version to version. For example the number of tables in the cpview database changed from 321 to 83 between r77.20 and r77.30. ==opening the database== We will query it with the sqlite3 utility. We don't use the cpview binary because it is too limited. [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat == example queries == === list tables === sqlite> .tables ===list columns=== sqlite> .schema fw_counters ===passing sqlite3 command via CLI=== [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat '.tables' ===query with start end times=== sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time,inbound_throughput/1048576/10 as MBS_IN,outbound_throughput/1048576/10 as MBS_OUT,concurrent_conns from fw_counters where time between "2016-01-05 00:00:00" and "2016-01-05 00:10:00"' ===check for high cpu=== sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time,name_of_cpu,cpu_usage from fw_counters where cpu_usage between "90" and "100" ' == cpu table == $ sqlite3 /var/log/CPView_history/CPViewDB.dat '.schema UM_STAT_UM_CPU_UM_CPU_ORDERED_TABLE' | tr ',' '\n' CREATE TABLE UM_STAT_UM_CPU_UM_CPU_ORDERED_TABLE (Timestamp INTEGER name_of_cpu INTEGER cpu_usage INTEGER cpu_usr_time INTEGER cpu_sys_time INTEGER cpu_idl_time INTEGER cpu_io_wait INTEGER cpu_interrupts INTEGER); 63fd7dee8d8325da30856e4a58f2a2f5a188974f 603 587 2016-10-04T18:15:03Z Nighthawk 1 /* cpu table */ wikitext text/x-wiki ==versions== R77 and above The table structure can change dramatically from version to version. For example the number of tables in the cpview database changed from 321 to 83 between r77.20 and r77.30. ==opening the database== We will query it with the sqlite3 utility. We don't use the cpview binary because it is too limited. [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat == example queries == === list tables === sqlite> .tables ===list columns=== sqlite> .schema fw_counters ===passing sqlite3 command via CLI=== [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat '.tables' ===query with start end times=== sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time,inbound_throughput/1048576/10 as MBS_IN,outbound_throughput/1048576/10 as MBS_OUT,concurrent_conns from fw_counters where time between "2016-01-05 00:00:00" and "2016-01-05 00:10:00"' == cpu table == $ sqlite3 /var/log/CPView_history/CPViewDB.dat '.schema UM_STAT_UM_CPU_UM_CPU_ORDERED_TABLE' | tr ',' '\n' CREATE TABLE UM_STAT_UM_CPU_UM_CPU_ORDERED_TABLE (Timestamp INTEGER name_of_cpu INTEGER cpu_usage INTEGER cpu_usr_time INTEGER cpu_sys_time INTEGER cpu_idl_time INTEGER cpu_io_wait INTEGER cpu_interrupts INTEGER); 70355017f4c78f9dfc71dd9f6f5ee86815f0c845 587 584 2016-06-10T13:22:59Z Nighthawk 1 wikitext text/x-wiki ==versions== R77 and above The table structure can change dramatically from version to version. For example the number of tables in the cpview database changed from 321 to 83 between r77.20 and r77.30. ==opening the database== We will query it with the sqlite3 utility. We don't use the cpview binary because it is too limited. [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat == example queries == === list tables === sqlite> .tables ===list columns=== sqlite> .schema fw_counters ===passing sqlite3 command via CLI=== [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat '.tables' ===query with start end times=== sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time,inbound_throughput/1048576/10 as MBS_IN,outbound_throughput/1048576/10 as MBS_OUT,concurrent_conns from fw_counters where time between "2016-01-05 00:00:00" and "2016-01-05 00:10:00"' == cpu table == $ sqlite3 ./CPViewDB.dat '.schema UM_STAT_UM_CPU_UM_CPU_ORDERED_TABLE' | tr ',' '\n' CREATE TABLE UM_STAT_UM_CPU_UM_CPU_ORDERED_TABLE (Timestamp INTEGER name_of_cpu INTEGER cpu_usage INTEGER cpu_usr_time INTEGER cpu_sys_time INTEGER cpu_idl_time INTEGER cpu_io_wait INTEGER cpu_interrupts INTEGER); 04f64beca90032c5d48fc97f1ac585eace91e3e4 584 574 2016-06-07T13:34:01Z Nighthawk 1 /* versions */ wikitext text/x-wiki ==versions== R77 and above The table structure can change dramatically from version to version. For example the number of tables in the cpview database changed from 321 to 83 between r77.20 and r77.30. ==opening the database== We will query it with the sqlite3 utility. We don't use the cpview binary because it is too limited. [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat == example queries == === list tables === sqlite> .tables ===list columns=== sqlite> .schema fw_counters ===passing sqlite3 command via CLI=== [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat '.tables' ===query with start end times=== sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time,inbound_throughput/1048576/10 as MBS_IN,outbound_throughput/1048576/10 as MBS_OUT,concurrent_conns from fw_counters where time between "2016-01-05 00:00:00" and "2016-01-05 00:10:00"' 332189fe81644e9dd9071a1ed8c78989d9492ec4 574 573 2016-02-24T22:10:04Z Nighthawk 1 wikitext text/x-wiki ==versions== R77 and above The table structure can change dramatically from version to version. For example the number of tables in the cpview database changed from 321 to 83 between r77.20 and r77.30. ==opening the database== We will query it with the sqlite3 utility. We don't use the cpview binary because it is too limited. [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat == example queries == === list tables === sqlite> .tables ===list columns=== sqlite> .schema fw_counters ===passing sqlite3 command via CLI=== [Expert@chkpfw1:0]# sqlite3 /var/log/CPView_history/CPViewDB.dat '.tables' ===query with start end times=== sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as time,inbound_throughput/1048576/10 as MBS_IN,outbound_throughput/1048576/10 as MBS_OUT,concurrent_conns from fw_counters where time between "2016-01-05 00:00:00" and "2016-01-05 00:10:00"' 573 2016-02-20T16:27:12Z Nighthawk 1 Created page with " == example queries == using sqlite3 sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as loltime,inbound_throughput/1048576/10 as MBS_IN..." wikitext text/x-wiki == example queries == using sqlite3 sqlite3 /var/log/CPView_history/CPViewDB.dat 'select datetime(Timestamp, "unixepoch") as loltime,inbound_throughput/1048576/10 as MBS_IN,outbound_throughput/1048576/10 as MBS_OUT,concurrent_conns from fw_counters where loltime between "2016-01-05 00:00:00" and "2016-01-05 00:10:00"' creating a NON-CPSHELL new user on secureplatform (SPLAT) vi CLI 0 145 407 406 2014-04-05T17:43:21Z Nighthawk 1 wikitext text/x-wiki == THIS PAGE IS UNDER CONSTRUCTION AND INCOMPLETE == I may not finish this page since Gaia has been out so long. The purpose would be to create a secure user account that could login to a bash shell and perform useful O.S. operations. This would be done without root or expert access, and without cpshell restrictions. The user account should be able to perform backup operations and monitoring. Maybe Check Point configurations if we installed the product and granted user group permissions during the install. For creating a more "vanilla" SPLAT cpshell user (the easy way), go here [http://www.cpwiki.net/index.php/creating_a_new_user_on_secureplatform_via_CLI creating a new user on secureplatform via CLI] [[category:user accounts]] == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == add user group to ssh AllowGroups== By default, SPLAT only allows members of the root group to ssh in. We will try to be secure and another group to the allowed list. I am being old fashioned, and using the legacy Unix wheel group [Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config to be continued(maybe)... 406 405 2014-04-05T17:42:38Z Nighthawk 1 /* THIS PAGE IS UNDER CONSTRUCTION AND INCOMPLETE */ wikitext text/x-wiki == THIS PAGE IS UNDER CONSTRUCTION AND INCOMPLETE == I may not finish this page since Gaia has been out so long. The purpose would be to create a secure user account that could login to a bash shell and perform useful O.S. operations. This would be done without root or expert access, and without cpshell restrictions. The user account should be able to perform backup operations and monitoring. Maybe Check Point configurations if we installed the product and granted user group permissions during the install. For creating a more "vanilla" SPLAT cpshell user (the easy way), go here [http://www.cpwiki.net/index.php/creating_a_new_user_on_secureplatform_via_CLI creating a new user on secureplatform via CLI] [[category:user accounts]] == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == add user group to ssh AllowGroups== By default, SPLAT only allows members of the root group to ssh in. We will try to be secure and another group to the allowed list. I am being old fashioned, and using the legacy Unix wheel group [Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config 405 2014-04-05T17:38:08Z Nighthawk 1 Created page with " == THIS PAGE IS UNDER CONSTRUCTION AND INCOMPLETE == I may not finish this page since Gaia has been out so long. The purpose would be to create a secure user account that c..." wikitext text/x-wiki == THIS PAGE IS UNDER CONSTRUCTION AND INCOMPLETE == I may not finish this page since Gaia has been out so long. The purpose would be to create a secure user account that could login to a bash shell and perform useful O.S. operations. This would be done without root or expert access, and without cpshell restrictions. The user account should be able to perform backup operations and monitoring. Maybe Check Point configurations if we installed the product and granted user group permissions during the install. == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == add user group to ssh AllowGroups== By default, SPLAT only allows members of the root group to ssh in. We will try to be secure and another group to the allowed list. I am being old fashioned, and using the legacy Unix wheel group [Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config creating a new user on Gaia via CLI 0 130 582 333 2016-05-24T19:59:18Z Nighthawk 1 wikitext text/x-wiki ==version== tested below commands on R75.40 == switch to clish shell == if you aren't here already or are at the expert prompt, just type... [Expert@myfirewall]# clish myfirewall> Clish will give you the > prompt == add user == > add user jsmith uid 0 homedir /home/jsmith (where jsmith should be replace with your username) == set optional parameters == > set user jsmith realname 'john smith' shell /bin/bash gid 100 == set password == > set user jsmith password == set roles == > add rba user jsmith roles adminRole == set access == > add rba user jsmith access-mechanisms Web-UI,CLI I don't like setting the user to the root UID, but this is how you get an account with root access. When adding via the web interfaces, it does the same thing. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat" and you get error upon login. example login error: /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied # ls -l /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh -rwxrwx--- 1 admin bin 82 Apr 4 2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line. All check point allows there is the root group. Go figure. Sounds insecure to me. When adding via the WebUI # cat /etc/passwd|grep jsmith jsmith:x:0:100:john smith:/home/jsmith:/bin/bash [[category:gaia]] e0ef2d80daa77f7dcd4f46bbb751e53458886dd5 333 332 2014-02-17T23:16:14Z Nighthawk 1 /* set access */ wikitext text/x-wiki where jsmith should be replace with your username == switch to clish shell == if you aren't here already or are at the expert prompt, just type... [Expert@myfirewall]# clish myfirewall> Clish will give you the > prompt == add user == > add user jsmith uid 0 homedir /home/jsmith == set optional parameters == > set user jsmith realname 'john smith' shell /bin/bash gid 100 == set password == > set user jsmith password == set roles == > add rba user jsmith roles adminRole == set access == > add rba user jsmith access-mechanisms Web-UI,CLI I don't like setting the user to the root UID, but this is how you get an account with root access. When adding via the web interfaces, it does the same thing. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat" and you get error upon login. example login error: /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied # ls -l /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh -rwxrwx--- 1 admin bin 82 Apr 4 2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line. All check point allows there is the root group. Go figure. Sounds insecure to me. When adding via the WebUI # cat /etc/passwd|grep jsmith jsmith:x:0:100:john smith:/home/jsmith:/bin/bash [[category:gaia]] 332 331 2014-02-17T23:14:02Z Nighthawk 1 wikitext text/x-wiki where jsmith should be replace with your username == switch to clish shell == if you aren't here already or are at the expert prompt, just type... [Expert@myfirewall]# clish myfirewall> Clish will give you the > prompt == add user == > add user jsmith uid 0 homedir /home/jsmith == set optional parameters == > set user jsmith realname 'john smith' shell /bin/bash gid 100 == set password == > set user jsmith password == set roles == > add rba user jsmith roles adminRole == set access == > add rba user jsmith access-mechanisms Web-UI,CLI I don't like setting the user to the root UID. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat". error: /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied # ls -l /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh -rwxrwx--- 1 admin bin 82 Apr 4 2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line. All check point allows there is the root group. Go figure. Sounds insecure to me. When adding via the WebUI # cat /etc/passwd|grep jsmith jsmith:x:0:100:john smith:/home/jsmith:/bin/bash [[category:gaia]] 331 330 2014-01-30T19:18:37Z Nighthawk 1 /* switch to clish shell */ wikitext text/x-wiki where jsmith should be replace with your username == switch to clish shell == if you aren't here already or are at the expert prompt, just type... [Expert@myfirewall]# clish myfirewall> Clish will give you the > prompt == add user == > add user jsmith uid 1005 homedir /home/jsmith == set password == > set user jsmith password == set roles == > add rba user jsmith roles adminRole == set access == > add rba user jsmith access-mechanisms Web-UI,CLI == set uid to root == # set user jsmith uid 0 I don't like setting the user to the root UID. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat". error: /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied # ls -l /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh -rwxrwx--- 1 admin bin 82 Apr 4 2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh I will investigate adding the users to the bin group. Also, I will add them to the users group. The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line. All check point allows there is the root group. Go figure. Sounds insecure to me. [[category:gaia]] 330 329 2014-01-30T19:18:12Z Nighthawk 1 wikitext text/x-wiki where jsmith should be replace with your username == switch to clish shell == if you aren't here already or are at the expert prompt, just type... [Expert@myfirewall]# clish myfirewall> == add user == > add user jsmith uid 1005 homedir /home/jsmith == set password == > set user jsmith password == set roles == > add rba user jsmith roles adminRole == set access == > add rba user jsmith access-mechanisms Web-UI,CLI == set uid to root == # set user jsmith uid 0 I don't like setting the user to the root UID. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat". error: /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied # ls -l /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh -rwxrwx--- 1 admin bin 82 Apr 4 2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh I will investigate adding the users to the bin group. Also, I will add them to the users group. The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line. All check point allows there is the root group. Go figure. Sounds insecure to me. [[category:gaia]] 329 328 2014-01-30T19:15:25Z Nighthawk 1 /* set parameters */ wikitext text/x-wiki where jsmith should be replace with your username == add user == > add user jsmith uid 1005 homedir /home/jsmith == set password == > set user jsmith password == set roles == > add rba user jsmith roles adminRole == set access == > add rba user jsmith access-mechanisms Web-UI,CLI == set uid to root == # set user jsmith uid 0 I don't like setting the user to the root UID. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat". error: /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied # ls -l /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh -rwxrwx--- 1 admin bin 82 Apr 4 2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh I will investigate adding the users to the bin group. Also, I will add them to the users group. The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line. All check point allows there is the root group. Go figure. Sounds insecure to me. [[category:gaia]] 328 326 2014-01-30T19:12:53Z Nighthawk 1 /* set uid to root */ wikitext text/x-wiki where jsmith should be replace with your username == add user == > add user jsmith uid 1005 homedir /home/jsmith == set parameters == > set user jsmith password == set roles == > add rba user jsmith roles adminRole == set access == > add rba user jsmith access-mechanisms Web-UI,CLI == set uid to root == # set user jsmith uid 0 I don't like setting the user to the root UID. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat". error: /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied # ls -l /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh -rwxrwx--- 1 admin bin 82 Apr 4 2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh I will investigate adding the users to the bin group. Also, I will add them to the users group. The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line. All check point allows there is the root group. Go figure. Sounds insecure to me. [[category:gaia]] 326 325 2013-12-16T18:52:29Z Nighthawk 1 wikitext text/x-wiki where jsmith should be replace with your username == add user == > add user jsmith uid 1005 homedir /home/jsmith == set parameters == > set user jsmith password == set roles == > add rba user jsmith roles adminRole == set access == > add rba user jsmith access-mechanisms Web-UI,CLI == set uid to root == # set user jsmith uid 0 I don't like setting the user to the root UID. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat". error: /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied [[category:gaia]] 325 324 2013-12-16T18:12:18Z Nighthawk 1 wikitext text/x-wiki where jsmith should be replace with your username == add user == add user jsmith uid 1005 homedir /home/jsmith == set parameters == set user jsmith password == set roles == add rba user jsmith roles adminRole == set access == add rba user jsmith access-mechanisms Web-UI,CLI == set uid to root == set user jsmith uid 0 I don't like setting the user to the root UID. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat". error: /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied [[category:gaia]] 324 2013-12-16T18:11:57Z Nighthawk 1 Created page with "where jsmith should be replace with your username == add user == add user jsmith uid 1005 homedir /home/jsmith == set parameters == set user jsmith password == set rol..." wikitext text/x-wiki where jsmith should be replace with your username == add user == add user jsmith uid 1005 homedir /home/jsmith == set parameters == set user jsmith password == set roles == add rba user jsmith roles adminRole == set access == add rba user jsmith access-mechanisms Web-UI,CLI == set uid to root == set user jsmith uid 0 I don't like setting the user to the root UID. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat". error: /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied [[category:gaia]] creating a new user on secureplatform via CLI 0 101 581 580 2016-05-24T19:57:02Z Nighthawk 1 /* version */ wikitext text/x-wiki ==version== The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of standard linux system file and directory permissions, shell environments, ect... This makes creating such a user more work. That won't be covered here. == creating the user account == create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G root -m jsmith == set the user password == [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! == test new user account access == Test the account by connecting to the SPLAT device via ssh. After a successful login, you will have be rescrited to commands available inside the cpshell environment. Just type help at the prompt for list of available commands. Run the "expert" command and enter the expert password to gain full priveleges in a bash shell environment. == troubleshooting == If login failures occur, examine /var/log/secure and /var/log/auth files for error messages. [[category:sysadmin]] b928e5fdba842b93c6c915574fcbc3abf95d743d 580 404 2016-05-24T19:56:33Z Nighthawk 1 wikitext text/x-wiki ==version== R75.40 The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of standard linux system file and directory permissions, shell environments, ect... This makes creating such a user more work. That won't be covered here. == creating the user account == create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G root -m jsmith == set the user password == [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! == test new user account access == Test the account by connecting to the SPLAT device via ssh. After a successful login, you will have be rescrited to commands available inside the cpshell environment. Just type help at the prompt for list of available commands. Run the "expert" command and enter the expert password to gain full priveleges in a bash shell environment. == troubleshooting == If login failures occur, examine /var/log/secure and /var/log/auth files for error messages. [[category:sysadmin]] 1c692364aa97dda02c1755997773b1e491057b9e 404 403 2014-04-05T17:29:23Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of standard linux system file and directory permissions, shell environments, ect... This makes creating such a user more work. That won't be covered here. == creating the user account == create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G root -m jsmith == set the user password == [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! == test new user account access == Test the account by connecting to the SPLAT device via ssh. After a successful login, you will have be rescrited to commands available inside the cpshell environment. Just type help at the prompt for list of available commands. Run the "expert" command and enter the expert password to gain full priveleges in a bash shell environment. == troubleshooting == If login failures occur, examine /var/log/secure and /var/log/auth files for error messages. [[category:sysadmin]] 403 402 2014-04-05T17:26:31Z Nighthawk 1 /* test new user account access */ wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here. == creating the user account == create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G root -m jsmith == set the user password == [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! == test new user account access == Test the account by connecting to the SPLAT device via ssh. After a successful login, you will have be rescrited to commands available inside the cpshell environment. Just type help at the prompt for list of available commands. Run the "expert" command and enter the expert password to gain full priveleges in a bash shell environment. == troubleshooting == If login failures occur, examine /var/log/secure and /var/log/auth files for error messages. [[category:sysadmin]] 402 401 2014-04-05T17:22:03Z Nighthawk 1 /* creating the user account */ wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here. == creating the user account == create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G root -m jsmith == set the user password == [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! == test new user account access == Test the account by connecting to the SPLAT device via ssh. After a successful login, execute the "expert" command to gain full priveleges. == troubleshooting == If login failures occur, examine /var/log/secure and /var/log/auth files for error messages. [[category:sysadmin]] 401 400 2014-04-05T17:19:28Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here. == creating the user account == create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G wheel -m jsmith == set the user password == [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! == test new user account access == Test the account by connecting to the SPLAT device via ssh. After a successful login, execute the "expert" command to gain full priveleges. == troubleshooting == If login failures occur, examine /var/log/secure and /var/log/auth files for error messages. [[category:sysadmin]] 400 399 2014-04-05T17:18:17Z Nighthawk 1 /* test new user account access */ wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here. == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == creating the user account == create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G wheel -m jsmith == set the user password == [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! == test new user account access == Test the account by connecting to the SPLAT device via ssh. After a successful login, execute the "expert" command to gain full priveleges. == troubleshooting == If login failures occur, examine /var/log/secure and /var/log/auth files for error messages. [[category:sysadmin]] 399 398 2014-04-05T17:18:03Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here. == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == creating the user account == create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G wheel -m jsmith == set the user password == [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! == test new user account access == test the account by connecting to the SPLAT device via ssh. After a successful login, execute the "expert" command to gain full priveleges. == troubleshooting == If login failures occur, examine /var/log/secure and /var/log/auth files for error messages. [[category:sysadmin]] 398 397 2014-04-05T17:13:48Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here. == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == creating the user account == create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G wheel -m jsmith == set the user password == [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. Example /etc/passwd lines before editing john:x:1002:1002::/home/admin:/bin/bash what is should look like after editing john:x:0:0::/home/admin:/bin/cpshell 4) test your login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 397 396 2014-04-05T17:11:17Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here. == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == creating the user account == 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G wheel -m jsmith 2) set the user password [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. Example /etc/passwd lines before editing john:x:1002:1002::/home/admin:/bin/bash what is should look like after editing john:x:0:0::/home/admin:/bin/cpshell 4) test your login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 396 395 2014-04-05T17:08:54Z Nighthawk 1 /* creating the user account */ wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here. == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == add user group to ssh AllowGroups== By default, SPLAT only allows members of the root group to ssh in. We will try to be secure and another group to the allowed list. I am being old fashioned, and using the legacy Unix wheel group [Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config == creating the user account == 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -o -u 0 -g wheel -m jsmith [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G wheel -m jsmith 2) set the user password [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. Example /etc/passwd lines before editing john:x:1002:1002::/home/admin:/bin/bash what is should look like after editing john:x:0:0::/home/admin:/bin/cpshell 4) test your login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 395 394 2014-04-05T16:59:49Z Nighthawk 1 /* creating the user account */ wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here. == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == add user group to ssh AllowGroups== By default, SPLAT only allows members of the root group to ssh in. We will try to be secure and another group to the allowed list. I am being old fashioned, and using the legacy Unix wheel group [Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config == creating the user account == 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -o -u 0 -g wheel -m jsmith [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -g wheel -m jsmith 2) set the user password [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. Example /etc/passwd lines before editing john:x:1002:1002::/home/admin:/bin/bash what is should look like after editing john:x:0:0::/home/admin:/bin/cpshell 4) test your login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 394 393 2014-04-05T16:59:10Z Nighthawk 1 /* add user group to ssh AllowGroups */ wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here. == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == add user group to ssh AllowGroups== By default, SPLAT only allows members of the root group to ssh in. We will try to be secure and another group to the allowed list. I am being old fashioned, and using the legacy Unix wheel group [Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config == creating the user account == 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -o -u 0 -g wheel -m jsmith 2) set the user password [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. Example /etc/passwd lines before editing john:x:1002:1002::/home/admin:/bin/bash what is should look like after editing john:x:0:0::/home/admin:/bin/cpshell 4) test your login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 393 392 2014-04-05T16:57:25Z Nighthawk 1 /* creating the user account */ wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here. == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == add user group to ssh AllowGroups== I am being old fashioned, and using the legacy Unix wheel group [Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config == creating the user account == 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -o -u 0 -g wheel -m jsmith 2) set the user password [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. Example /etc/passwd lines before editing john:x:1002:1002::/home/admin:/bin/bash what is should look like after editing john:x:0:0::/home/admin:/bin/cpshell 4) test your login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 392 323 2014-04-05T16:54:26Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here. == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == add user group to ssh AllowGroups== I am being old fashioned, and using the legacy Unix wheel group [Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config == creating the user account == 1) create user account with the standard linux useradd command... [Expert@argo]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -o -u 0 -g wheel -m jsmith 2) set the user password [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. Example /etc/passwd lines before editing john:x:1002:1002::/home/admin:/bin/bash what is should look like after editing john:x:0:0::/home/admin:/bin/cpshell 4) test your login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 323 184 2013-12-16T15:51:54Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the root (Expert) account. == fix /etc/profile permissions == Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. [Expert@chkpfw1]# chmod 644 /etc/profile == add user group to ssh AllowGroups== I am being old fashioned, and using the legacy Unix wheel group [Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config == creating the user account == 1) create user account with the standard linux useradd command... [Expert@argo]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -o -u 0 -g wheel -m jsmith 2) set the user password [Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd jsmith''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. Example /etc/passwd lines before editing john:x:1002:1002::/home/admin:/bin/bash what is should look like after editing john:x:0:0::/home/admin:/bin/cpshell 4) test your login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 184 183 2013-07-18T21:47:16Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the root (Expert) account. 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/''username username'' 2) set the user password [Expert@chkpfw]# /usr/bin/passwd ''username'' New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd john''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. Example /etc/passwd lines before editing john:x:1002:1002::/home/admin:/bin/bash what is should look like after editing john:x:0:0::/home/admin:/bin/cpshell 4) test your login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 183 182 2013-07-18T21:45:41Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the root (Expert) account. 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/''username username'' 2) set the user password [Expert@chkpfw]# /usr/bin/passwd ''username'' New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd john''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. Example /etc/passwd lines before editing john:x:1002:1002::/home/admin:/bin/bash what is should look like after editing john:x:0:0::/home/admin:/bin/cpshell 4) test you login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 182 181 2013-07-18T21:45:06Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the root (Expert) account. 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/''username username'' 2) set the user password [Expert@chkpfw]# /usr/bin/passwd ''username'' New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd john''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. Example /etc/passwd line before editing john:x:1002:1002::/home/admin:/bin/bash (what is should look like after editing) john:x:0:0::/home/admin:/bin/cpshell 4) test you login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 181 180 2013-07-18T21:43:23Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the root (Expert) account. 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/''username username'' 2) set the user password [Expert@chkpfw]# /usr/bin/passwd ''username'' New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account: [Expert@chkpfw]# '''passwd john''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. john:x:0:0::/home/admin:/bin/cpshell 4) test you login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 180 179 2013-07-18T21:42:22Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the root (Expert) account. 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/''username username'' 2) set the user password [Expert@chkpfw]# /usr/bin/passwd ''username'' New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account Example of the incorrect way to reset a user password from the root (Expert) account. [Expert@chkpfw]# '''passwd john''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. john:x:0:0::/home/admin:/bin/cpshell 4) test you login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 179 178 2013-07-18T21:41:04Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the root (Expert) account. 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/''username username'' 2) set the user password [Expert@chkpfw]# /usr/bin/passwd ''username'' New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account [Expert@chkpfw]# '''passwd john''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. john:x:0:0::/home/admin:/bin/cpshell 4) test you login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 178 177 2013-07-18T21:39:37Z Nighthawk 1 wikitext text/x-wiki The following instructions are performed using the root (Expert) account. 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/''username username'' 2) set the user password [Expert@chkpfw]# /usr/bin/passwd ''username'' *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account [Expert@chkpfw]# '''passwd john''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. john:x:0:0::/home/admin:/bin/cpshell 4) test you login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 177 176 2013-07-18T21:27:45Z Nighthawk 1 wikitext text/x-wiki 1) create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/''username username'' 2) set the user password [Expert@chkpfw]# /usr/bin/passwd ''username'' *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account [Expert@chkpfw]# '''passwd john''' Enter new expert password: <<< if you see this prompt you messed up! 3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. john:x:0:0::/home/admin:/bin/cpshell 4) test you login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 176 175 2013-07-18T21:27:21Z Nighthawk 1 wikitext text/x-wiki 1 - create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/''username username'' 2 - set the user password [Expert@chkpfw]# /usr/bin/passwd ''username'' *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account [Expert@chkpfw]# '''passwd john''' Enter new expert password: <<< if you see this prompt you messed up! 3 - edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. john:x:0:0::/home/admin:/bin/cpshell 4 - test you login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 175 174 2013-07-18T21:05:08Z Nighthawk 1 wikitext text/x-wiki 1 - create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/''username username'' 2 - set the userpassword [Expert@chkpfw]# /usr/bin/passwd ''username'' *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account [Expert@chkpfw]# '''passwd john''' Enter new expert password: <<< if you see this prompt you messed up! 3 - edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure. john:x:0:0::/home/admin:/bin/cpshell 4 - test you login with ssh. after a successful login, execute the "expert" command to gain root. [[category:sysadmin]] 174 173 2013-07-18T20:57:10Z Nighthawk 1 wikitext text/x-wiki 1 - create user account with the standard linux useradd command... [Expert@chkpfw]# useradd -d /home/''username username'' 2 - set the userpassword [Expert@chkpfw]# /usr/bin/passwd ''username'' *** note *** the full path is required in the above command because Check Point aliases passwd to... alias passwd='/bin/expert_passwd' If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account [Expert@chkpfw]# '''passwd john''' Enter new expert password: <<< if you see this prompt you messed up! 3 - edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell john:x:0:0::/home/admin:/bin/cpshell [[category:sysadmin]] 173 172 2013-07-18T19:12:04Z Nighthawk 1 wikitext text/x-wiki useradd -d /home/''username username'' [[category:sysadmin]] 172 2013-07-18T19:11:06Z Nighthawk 1 Created page with " [[category:sysadmin]]" wikitext text/x-wiki [[category:sysadmin]] cyclic logging deletion mechanism 0 216 671 670 2017-08-07T18:55:54Z Nighthawk 1 wikitext text/x-wiki referenced sk33309 all versions SmartView Tracker Messages / Errors in the traffic log files of the log server (not on the smartcenter or in the fw.adtlog) '''Normal log deletion log''' Type: Control Information field: Log file <name> has been deleted by the "Cyclic Logging" mechanism '''Disk space triggered log deletion that failed''' Type: Alert Information Field: The log repository quota has been exceeded. No file could be deleted. This message indicates that the system tried to delete old log files in order to fulfill the required disk space requirement, as defined by the user, but could not find an appropriate file to delete. This might be because there are no old files left to delete (the active log file cannot be deleted), or because the user configured the mechanism not to delete log files from the last "N" days. The user should delete files manually from the machine in order to reach the desired free disk space. If the user does not, the current log might be deleted when a log switch occurs. d3a3a1e2860ac7f4efc631b13b923eba5ba9ea8a 670 2017-08-07T18:55:20Z Nighthawk 1 Created page with "referenced sk33309 all versions SmartView Tracker Messages / Errors in the traffic log files of the log server (not on the smartcenter or in the fw.adtlog) Information fi..." wikitext text/x-wiki referenced sk33309 all versions SmartView Tracker Messages / Errors in the traffic log files of the log server (not on the smartcenter or in the fw.adtlog) Information field entry.... Normal log deletion log Type: Control Information field: Log file <name> has been deleted by the "Cyclic Logging" mechanism Disk space triggered log deletion that failed Type: Alert Information Field: The log repository quota has been exceeded. No file could be deleted. This message indicates that the system tried to delete old log files in order to fulfill the required disk space requirement, as defined by the user, but could not find an appropriate file to delete. This might be because there are no old files left to delete (the active log file cannot be deleted), or because the user configured the mechanism not to delete log files from the last "N" days. The user should delete files manually from the machine in order to reach the desired free disk space. If the user does not, the current log might be deleted when a log switch occurs. 60fbc6aac7fd8f366ad18e037b01e4d0aacc0fed dbedit firewall object creation 0 64 91 2013-05-10T06:58:30Z Nighthawk 1 Created page with "The following dbedit commands will create a Check Point firewall with a managment IP of 10.30.11.1 and 2 interfaces under the topology. create gateway_ckp ckptestgw modify ..." wikitext text/x-wiki The following dbedit commands will create a Check Point firewall with a managment IP of 10.30.11.1 and 2 interfaces under the topology. create gateway_ckp ckptestgw modify network_objects ckptestgw ipaddr 10.30.11.1 modify network_objects ckptestgw interfaces:1:ifindex 0 addelement network_objects ckptestgw interfaces interface modify network_objects ckptestgw interfaces:0:ipaddr 2.2.2.2 modify network_objects ckptestgw interfaces:0:officialname eth0 addelement network_objects ckptestgw interfaces interface modify network_objects ckptestgw interfaces:1:ifindex 1 modify network_objects ckptestgw interfaces:1:ipaddr 3.3.3.3 modify network_objects ckptestgw interfaces:1:netmask 255.255.255.0 modify network_objects ckptestgw interfaces:1:officialname eth1 [[category:dbedit]] dbedit rule creation 0 62 655 281 2017-05-15T21:50:55Z Nighthawk 1 wikitext text/x-wiki IMPORTANT: first rule for dbedit is rule 0, not 1. also, dbedit counts section headers as rules!!! so, to manipulate a rule # in the SmartDashboard, the formula is SmartDashboard rule # + # of section headers before it -1 + = dbedit rule # add source host1 to rule 1 addelement fw_policies ##Standard rule:1:src:'' network_objects:host1 deleting a rule (untested) dbedit> rmbyindex fw_policies ##Standard rule 10 dbedit> update_all fw_policies::##Standard Updated Successfully [[category:dbedit]] faac5a30afcadf9e828577beaedcbd1fe5b2bf84 281 280 2013-10-04T18:11:14Z Nighthawk 1 wikitext text/x-wiki add source host1 to rule 1 addelement fw_policies ##Standard rule:1:src:'' network_objects:host1 deleting a rule (untested) dbedit> rmbyindex fw_policies ##Standard rule 10 dbedit> update_all fw_policies::##Standard Updated Successfully [[category:dbedit]] 280 83 2013-10-04T18:10:59Z Nighthawk 1 wikitext text/x-wiki add source host1 to rule 1 addelement fw_policies ##Standard rule:1:src:'' network_objects:host1 deleting a rule (untested) dbedit> rmbyindex fw_policies ##Standard rule 10 dbedit> update_all fw_policies::##Standard Updated Successfully [[category:dbedit]] 83 2013-04-27T04:15:45Z Nighthawk 1 Created page with "add source host1 to rule 1 addelement fw_policies ##Standard rule:1:src:'' network_objects:host1 [[category:dbedit]]" wikitext text/x-wiki add source host1 to rule 1 addelement fw_policies ##Standard rule:1:src:'' network_objects:host1 [[category:dbedit]] dbedit scripts 0 59 78 77 2013-04-26T01:33:03Z Nighthawk 1 wikitext text/x-wiki == create hosts == for i in {1..12}; do \ echo "create network host_192.168.$i.0-24"; \ echo "modify network_objects host_192.168.$i.0-24 ipaddr 192.168.$i.0"; \ echo "update network_objects host_192.168.$i.0-24"; done == create networks == for i in {1..12}; do \ echo "create network net_192.168.$i.0-24"; \ echo "modify network_objects net_192.168.$i.0-24 ipaddr 192.168.$i.0"; \ echo "modify network_objects net_192.168.$i.0-24 netmask 255.255.255.0"; \ echo "update network_objects net_192.168.$i.0-24"; done [[category:dbedit]] 77 76 2013-04-26T01:32:20Z Nighthawk 1 wikitext text/x-wiki == create hosts == for i in {1..12}; do \ echo "create network host_192.168.$i.0-24"; \ echo "modify network_objects host_192.168.$i.0-24 ipaddr 192.168.$i.0"; \ echo "update network_objects host_192.168.$i.0-24"; done == create networks == for i in {1..12}; do \ echo "create network net_192.168.$i.0-24"; \ echo "modify network_objects net_192.168.$i.0-24 ipaddr 192.168.$i.0"; \ echo "modify network_objects net_192.168.$i.0-24 netmask 255.255.255.0"; \ echo "update network_objects net_192.168.$i.0-24"; done [[category:dbedit]] 76 2013-04-26T00:59:31Z Nighthawk 1 Created page with "for i in {1..12}; do echo "create network net_192.168.$i.0-24"; echo "modify network_objects net_192.168.$i.0-24 ipaddr 192.168.$i.0"; echo "modify network_objects net_192.168..." wikitext text/x-wiki for i in {1..12}; do echo "create network net_192.168.$i.0-24"; echo "modify network_objects net_192.168.$i.0-24 ipaddr 192.168.$i.0"; echo "modify network_objects net_192.168.$i.0-24 netmask 255.255.255.0"; echo "update network_objects net_192.168.$i.0-24"; done disabling smartmap 0 183 530 2014-08-11T17:33:50Z Nighthawk 1 Created page with " To disable SmartMap completely: # Backup and edit using vi the objects_5_0.C located at $FWDIR/conf on the active CMA / SmartCenter # Search for the line entry: totally_disa..." wikitext text/x-wiki To disable SmartMap completely: # Backup and edit using vi the objects_5_0.C located at $FWDIR/conf on the active CMA / SmartCenter # Search for the line entry: totally_disable_VPE # Change the value from false to true # Save and exit vi, restart the CMA / SmartCenter enable bash history in Gaia and SPLAT 0 173 888 609 2023-11-28T15:26:57Z Nighthawk 1 wikitext text/x-wiki by default, bash history is on but commands run are not save to the .bash_history file to be accessed upon you next login. [Expert@ckkpmgr]# s'''et -o | grep history''' history on [Expert@ckkpmgr]# '''echo $HISTFILESIZE''' 0 to enable it globally for all users [Expert@myfirewall]# '''sed -i -e 's/HISTFILESIZE=0/HISTFILESIZE=1000/' /etc/bashrc; source /etc/bashrc''' verify it worked [Expert@ckkpmgr]# '''echo $HISTFILESIZE''' 1000 bash command history is saved upon logout [[category:bash]] [[category:CLI]] 4097f00f269929e60b1bc5f1625d915ae09825d3 609 488 2016-11-22T14:33:36Z Nighthawk 1 wikitext text/x-wiki by default, bash history is on but commands run are not save to the .bash_history file to be accessed upon you next login. [Expert@ckkpmgr]# s'''et -o | grep history''' history on [Expert@ckkpmgr]# '''echo $HISTFILESIZE''' 0 to enable it globally for all users [Expert@myfirewall]# '''sed -i -e 's/HISTFILESIZE=0/HISTFILESIZE=1000/' /etc/bashrc; source /etc/bashrc''' verify it worked [Expert@ckkpmgr]# '''echo $HISTFILESIZE''' 10000 bash command history is saved upon logout [[category:bash]] [[category:CLI]] 4e035f7b5e4f4eda617543f82f5f9f7b0a018928 488 2014-05-28T07:57:30Z Nighthawk 1 Created page with "by default, bash history is on but commands run are not save to the .bash_history file to be accessed upon you next login. [Expert@ckkpmgr]# s'''et -o | grep history''' his..." wikitext text/x-wiki by default, bash history is on but commands run are not save to the .bash_history file to be accessed upon you next login. [Expert@ckkpmgr]# s'''et -o | grep history''' history on [Expert@ckkpmgr]# '''echo $HISTFILESIZE''' 0 to enable it globally for all users [Expert@myfirewall]# '''sed -i -e 's/HISTFILESIZE=0/HISTFILESIZE=10000/' /etc/bashrc; source /etc/bashrc''' verify it worked [Expert@ckkpmgr]# '''echo $HISTFILESIZE''' 10000 bash command history is saved upon logout [[category:bash]] [[category:CLI]] enable or disable a Provider-1 CMA 0 182 531 529 2014-09-05T18:10:09Z Nighthawk 1 moved [[enable / disable Provider-1 CMA]] to [[enable or disable a Provider-1 CMA]] wikitext text/x-wiki to disable a cma… 1) Connect to cma with write privledges, this creates a manage.lock file in $FWDIR/tmp/ 2) '''mdsenv <cma|cma_ip>''' 3) '''chattr +i $FWDIR/tmp/manage.lock''' this makes the file undeletable. Attempts to “disconnect” and forcibly take write access via smartdashboard fail, rm on the file fails too. to re-enable 1) '''mdsenv <cma|cma_ip>''' 2) '''chattr -i $FWDIR/tmp/manage.lock''' this makes the file deletable again 3) '''rm $FWDIR/tmp/manage.lock''' [[category:provider-1]] 529 528 2014-08-06T05:07:11Z Nighthawk 1 wikitext text/x-wiki to disable a cma… 1) Connect to cma with write privledges, this creates a manage.lock file in $FWDIR/tmp/ 2) '''mdsenv <cma|cma_ip>''' 3) '''chattr +i $FWDIR/tmp/manage.lock''' this makes the file undeletable. Attempts to “disconnect” and forcibly take write access via smartdashboard fail, rm on the file fails too. to re-enable 1) '''mdsenv <cma|cma_ip>''' 2) '''chattr -i $FWDIR/tmp/manage.lock''' this makes the file deletable again 3) '''rm $FWDIR/tmp/manage.lock''' [[category:provider-1]] 528 527 2014-08-06T05:06:35Z Nighthawk 1 wikitext text/x-wiki to disable a cma… 1) Connect to cma with write privledges, this creates a manage.lock file in $FWDIR/tmp/ 2) '''mdsenv <cma|cma_ip>''' 3) '''chattr +i $FWDIR/tmp/manage.lock''' this makes the file undeletable. Attempts to “disconnect” and forcibly take write access via smartdashboard fail, rm on the file fails too. to re-enable 1) '''mdsenv <cma|cma_ip>''' 2) '''chattr -i $FWDIR/tmp/manage.lock''', this makes the file deletable again 3) '''rm $FWDIR/tmp/manage.lock''' [[category:provider-1]] 527 2014-08-06T05:03:58Z Nighthawk 1 Created page with " to disable a cma… 1) Connect to cma with write privledges, this creates a manage.lock file in $FWDIR/tmp/ 2) mdsenv <cma|cma_ip> 3) chattr +i $FWDIR/tmp/manage.lock, th..." wikitext text/x-wiki to disable a cma… 1) Connect to cma with write privledges, this creates a manage.lock file in $FWDIR/tmp/ 2) mdsenv <cma|cma_ip> 3) chattr +i $FWDIR/tmp/manage.lock, this makes the file undeletable. Attempts to “disconnect” and forcibly take write access via smartdashboard fail, rm on the file fails too. to re-enable 1) mdsenv <cma|cma_ip> 2) chattr -i $FWDIR/tmp/manage.lock, this makes the file deletable again 3) rm $FWDIR/tmp/manage.lock [[category:provider-1]] enabling and disabling CMAs 0 202 610 2016-12-06T17:04:11Z Nighthawk 1 Created page with " == disable a CMA == # login to CMA with write privileges via SmartDashboard # mdsenv <cma|cma_ip> # chatter +i $FWDIR/tmp/manage.lock this make the manage.lock file undele..." wikitext text/x-wiki == disable a CMA == # login to CMA with write privileges via SmartDashboard # mdsenv <cma|cma_ip> # chatter +i $FWDIR/tmp/manage.lock this make the manage.lock file undeletable. Attempts to "disconnect" the user or even restarting the CMA will not have an effect. == re-enable == # mdsenv <cma|cma_ip> # chatter -i $FWDIR/tmp/manage.lock # rm $FWDIR/tmp/manage.lock [[category:provider-1]] 023ce041b67b4db5b0e35ff85099ab975f4e68a5 firewall log accept and drop rate calculation 0 49 506 505 2014-06-23T18:55:16Z Nighthawk 1 wikitext text/x-wiki '''baseline /count accepts & drops for the last minute from firewall 192.168.1.1''' accept commmand # fw log -n -c accept -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l 9013 drop command # fw log -n -c drop -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l 761 == script (one liner) == This command will give you the accept and drop rate for the last minute for the IP specified. [Expert@cplogger]# '''IP="192.168.1.1"; for i in accept drop; do printf "$i "; fw log -n -c $i -h $IP -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l; done''' accept 699 drop 301 [[category:logs]] 505 504 2014-06-23T17:46:55Z Nighthawk 1 moved [[firewall log accept / drop rate calculation]] to [[firewall log accept and drop rate calculation]] wikitext text/x-wiki '''baseline /count accepts & drops for the last minute from firewall 192.168.1.1''' accept commmand # fw log -n -c accept -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l 9013 drop command # fw log -n -c drop -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l 761 == script (one liner) == This command will give you the accept and drop rate for the last minute for the IP specified. [Expert@cplogger]# '''IP="192.168.1.1"; for i in accept drop; do printf "$i "; fw log -n -c $i -h $IP -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l; done''' accept 699 drop 301 [[category:logs]] 504 503 2014-06-23T17:13:28Z Nighthawk 1 wikitext text/x-wiki '''baseline /count accepts & drops for the last minute from firewall 192.168.1.1''' accept commmand # fw log -n -c accept -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l 9013 drop command # fw log -n -c drop -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l 761 == script (one liner) == This command will give you the accept and drop rate for the last minute for the IP specified. [Expert@cplogger]# '''IP="192.168.1.1"; for i in accept drop; do printf "$i "; fw log -n -c $i -h $IP -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l; done''' accept 699 drop 301 [[category:logs]] 503 65 2014-06-23T17:13:17Z Nighthawk 1 wikitext text/x-wiki '''baseline /count accepts & drops for the last minute from firewall 192.168.1.1''' accept commmand # fw log -n -c accept -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l 9013 drop command # fw log -n -c drop -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l 761 == script (one liner) == This command will give you the accept and drop rate for the last minute for the IP specified. [Expert@cplogger]# IP="192.168.1.1"; for i in accept drop; do printf "$i "; fw log -n -c $i -h $IP -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l; done accept 699 drop 301 [[category:logs]] 65 54 2013-04-20T23:55:34Z Nighthawk 1 wikitext text/x-wiki '''baseline /count accepts & drops for the last minute from firewall 192.168.1.1''' # fw log -n -c accept -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l 9013 # fw log -n -c drop -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l 761 [[category:logs]] 54 2013-04-12T16:09:48Z Nighthawk 1 Created page with "'''count accepts / drops for the last minute from firewall 192.168.1.1''' # fw log -n -c accept -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |w..." wikitext text/x-wiki '''count accepts / drops for the last minute from firewall 192.168.1.1''' # fw log -n -c accept -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l 9013 # fw log -n -c drop -h 192.168.1.1 -s `/bin/date --date="1 minutes ago" +%T` -e `/bin/date +%T` |wc -l 761 [[category:logs]] firewall log parsing scratch notes 0 184 544 2014-10-08T14:12:13Z Nighthawk 1 Created page with " command run on "fw log" output to txt file... cat /var/tmp/CLM_2014-10-03_06-00-00_to_09-00-00.log.txt | awk -F ";" '{print $3}' | awk "{print $2}' | uniq -c | sort -rn |..." wikitext text/x-wiki command run on "fw log" output to txt file... cat /var/tmp/CLM_2014-10-03_06-00-00_to_09-00-00.log.txt | awk -F ";" '{print $3}' | awk "{print $2}' | uniq -c | sort -rn | head cat /var/tmp/CLM_2014-10-03_06-00-00_to_09-00-00.log.txt | awk '{for (i=1; i<=NF; i++) if ($i=="src:") print $(i+1)}' | uniq -c | sort -rn | head cat /var/tmp/CLM_2014-10-03_06-00-00_to_09-00-00.log.txt | awk '{for (i=1; i<=NF; i++) if ($i=="src:") print $(i+1)}' | sort | uniq -c | sort -n -r | head cat /var/tmp/CLM_2014-10-03_06-00-00_to_09-00-00.log.txt | grep "src: 17.24.13.25" | awk '{for (i=1; i<=NF; i++) if ($i=="src:") print $(i+1)} ' | wc -l awk '{for (i=1; i<=NF; i++) if ($i=="src:") print $(i+1)}' | sort | uniq -c | sort -n -r | head firewall logconnection status 0 214 667 2017-06-16T00:13:47Z Nighthawk 1 Created page with "[Expert@chkpfw1:0]# cpstat fw -f log_connection" wikitext text/x-wiki [Expert@chkpfw1:0]# cpstat fw -f log_connection 55ad0d2da39e528f9a3fa20d5c4aa788fdb74e4a fortimanager VM notes 0 268 916 2024-06-20T18:05:10Z Nighthawk 1 Created page with "==version 6.4== this version was used because higher versions were failing on the trial license for me. ==console login== default login = admin / (empty password) ==initial c..." wikitext text/x-wiki ==version 6.4== this version was used because higher versions were failing on the trial license for me. ==console login== default login = admin / (empty password) ==initial config== config system interface edit port1 set mode static set ip 10.1.1.100 255.255.255.0 next end config system route edit 1 set device port1 set gateway 10.1.1.1 next end ==license== connect a browser via https to the IP above. You get a message about signing into forticloud for the trial license. Login and proceed and hope for a message of success. I forgot to screenshot it. view VM license via CLI. FMG-VM64-KVM # '''diag debug vminfo''' VM license is valid. Type: Trial Max devices: 3 Management IP: 0.0.0.0 VM UUID: 2da3fe28-143d-415f-9939-2d8f8c6ce433 no expiration date... yay! too bad it is so old. [[category:fortinet]] 66b5a16b5e3e8175f63a655d9fba4290e49360f7 fortinet CLI notes 0 261 917 915 2024-06-20T18:10:14Z Nighthawk 1 wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== ===configure=== example # config system interface # edit port1 # set mode static # set ip 10.1.1.1 255.255.255.0 # next # end ===get info== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> ==routes== # config router static # edit <route_index> # set device "<interface_name>" # set dst "<destination_ip>" # set gateway "<router_ip>" for default gw.. # set dst 0.0.0.0 0.0.0.0 or just leave the line out. HA status # config global # get sys ha status HA failover to highest priority (if it is not currently Master) on current master run... # config global # diagnose sys ha reset-uptime get admin hash password # config global # config sys admin # show uptime # config global # get system perf status | grep -i uptime shutdown/reboot # execute shutdown or # execute reboot ==firewall== # show firewall policy ==packet capture== # diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbosity> <count> <time-format> where if count = 0, then unlimited example: fotinet1 # '''diagnose sniffer packet port1 'icmp'''' 4 2 l interfaces=[port1] filters=[icmp] 2022-08-25 13:16:52.397609 port1 -- 192.168.169.76 -> 192.168.169.31: icmp: echo request 2022-08-25 13:16:52.397673 port1 -- 192.168.169.31 -> 192.168.169.76: icmp: echo reply ==misc== check if fortigate has fortimanager central-management setting $ show full-configuration | grep "set fmg " ==default login== VM images = admin / (empty password) [[category:fortinet]] 4b0277fde44937072dc49bb27ad88f8283499a8b 915 908 2024-06-20T17:59:13Z Nighthawk 1 wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> ==routes== # config router static # edit <route_index> # set device "<interface_name>" # set dst "<destination_ip>" # set gateway "<router_ip>" for default gw.. # set dst 0.0.0.0 0.0.0.0 HA status # config global # get sys ha status HA failover to highest priority (if it is not currently Master) on current master run... # config global # diagnose sys ha reset-uptime get admin hash password # config global # config sys admin # show uptime # config global # get system perf status | grep -i uptime shutdown/reboot # execute shutdown or # execute reboot ==firewall== # show firewall policy ==packet capture== # diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbosity> <count> <time-format> where if count = 0, then unlimited example: fotinet1 # '''diagnose sniffer packet port1 'icmp'''' 4 2 l interfaces=[port1] filters=[icmp] 2022-08-25 13:16:52.397609 port1 -- 192.168.169.76 -> 192.168.169.31: icmp: echo request 2022-08-25 13:16:52.397673 port1 -- 192.168.169.31 -> 192.168.169.76: icmp: echo reply ==misc== check if fortigate has fortimanager central-management setting $ show full-configuration | grep "set fmg " ==virtual machine== default login = admin / (empty password) [[category:fortinet]] d209fd9ff7b2b291c890abcf0d936d16a4986d16 908 907 2024-05-07T19:47:12Z Nighthawk 1 wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> ==routes== # config router static # edit <route_index> # set device "<interface_name>" # set dst "<destination_ip>" # set gateway "<router_ip>" for default gw.. # set dst 0.0.0.0 0.0.0.0 HA status # config global # get sys ha status HA failover to highest priority (if it is not currently Master) on current master run... # config global # diagnose sys ha reset-uptime get admin hash password # config global # config sys admin # show uptime # config global # get system perf status | grep -i uptime shutdown/reboot # execute shutdown or # execute reboot ==firewall== # show firewall policy ==packet capture== # diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbosity> <count> <time-format> where if count = 0, then unlimited example: fotinet1 # '''diagnose sniffer packet port1 'icmp'''' 4 2 l interfaces=[port1] filters=[icmp] 2022-08-25 13:16:52.397609 port1 -- 192.168.169.76 -> 192.168.169.31: icmp: echo request 2022-08-25 13:16:52.397673 port1 -- 192.168.169.31 -> 192.168.169.76: icmp: echo reply ==misc== check if fortigate has fortimanager central-management setting $ show full-configuration | grep "set fmg " [[category:fortinet]] debe0873c896076d1ba3cea651dadbfc95aea9c8 907 875 2024-05-02T23:14:15Z Nighthawk 1 /* packet capture */ wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> ==routes== # config router static # edit <route_index> # set device "<interface_name>" # set dst "<destination_ip>" # set gateway "<router_ip>" for default gw.. # set dst 0.0.0.0 0.0.0.0 HA status # config global # get sys ha status HA failover to highest priority (if it is not currently Master) on current master run... # config global # diagnose sys ha reset-uptime get admin hash password # config global # config sys admin # show uptime # config global # get system perf status | grep -i uptime shutdown/reboot # execute shutdown or # execute reboot ==firewall== # show firewall policy ==packet capture== # diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbosity> <count> <time-format> where if count = 0, then unlimited example: fotinet1 # '''diagnose sniffer packet port1 'icmp'''' 4 2 l interfaces=[port1] filters=[icmp] 2022-08-25 13:16:52.397609 port1 -- 192.168.169.76 -> 192.168.169.31: icmp: echo request 2022-08-25 13:16:52.397673 port1 -- 192.168.169.31 -> 192.168.169.76: icmp: echo reply [[category:fortinet]] 17d7202daca697c442bef2ce79cd1b05de860745 875 873 2022-11-06T02:51:35Z Nighthawk 1 wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> ==routes== # config router static # edit <route_index> # set device "<interface_name>" # set dst "<destination_ip>" # set gateway "<router_ip>" for default gw.. # set dst 0.0.0.0 0.0.0.0 HA status # config global # get sys ha status HA failover to highest priority (if it is not currently Master) on current master run... # config global # diagnose sys ha reset-uptime get admin hash password # config global # config sys admin # show uptime # config global # get system perf status | grep -i uptime shutdown/reboot # execute shutdown or # execute reboot ==firewall== # show firewall policy ==packet capture== # diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbosity> <count> <time-format> where if count = 0, then unlimited example: fotinet1 # diagnose sniffer packet port1 'icmp' 4 2 l interfaces=[port1] filters=[icmp] 2022-08-25 13:16:52.397609 port1 -- 192.168.169.76 -> 192.168.169.31: icmp: echo request 2022-08-25 13:16:52.397673 port1 -- 192.168.169.31 -> 192.168.169.76: icmp: echo reply [[category:fortinet]] 83799844baa5ea01d07c0c0b305626bbbbf5dba2 873 872 2022-08-25T20:43:51Z Nighthawk 1 wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> ==routes== # config router static # edit <route_index> # set device "<interface_name>" # set dst "<destination_ip>" # set gateway "<router_ip>" for default gw.. # set dst 0.0.0.0 0.0.0.0 HA status # config global # get sys ha status HA failover to highest priority (if it is not currently Master) on current master run... # config global # diagnose sys ha reset-uptime get admin hash password # config global # config sys admin # show shutdown/reboot # execute shutdown or # execute reboot ==firewall== # show firewall policy ==packet capture== # diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbosity> <count> <time-format> where if count = 0, then unlimited example: fotinet1 # diagnose sniffer packet port1 'icmp' 4 2 l interfaces=[port1] filters=[icmp] 2022-08-25 13:16:52.397609 port1 -- 192.168.169.76 -> 192.168.169.31: icmp: echo request 2022-08-25 13:16:52.397673 port1 -- 192.168.169.31 -> 192.168.169.76: icmp: echo reply [[category:fortinet]] 9f53400dbb28895c0e2e3a6aee17af2b58688e5d 872 871 2022-08-25T20:24:50Z Nighthawk 1 wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> ==routes== # config router static # edit <route_index> # set device "<interface_name>" # set dst "<destination_ip>" # set gateway "<router_ip>" for default gw.. # set dst 0.0.0.0 0.0.0.0 HA status # config global # get sys ha status HA failover to highest priority (if it is not currently Master) on current master run... # config global # diagnose sys ha reset-uptime get admin hash password # config global # config sys admin # show shutdown/reboot # execute shutdown or # execute reboot ==firewall== # show firewall policy [[category:fortinet]] b7b3e053cd94c54942c56b60b53eca36a9b2daab 871 870 2022-08-24T22:24:20Z Nighthawk 1 /* routes */ wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> ==routes== # config router static # edit <route_index> # set device "<interface_name>" # set dst "<destination_ip>" # set gateway "<router_ip>" for default gw.. # set dst 0.0.0.0 0.0.0.0 HA status # config global # get sys ha status HA failover to highest priority (if it is not currently Master) on current master run... # config global # diagnose sys ha reset-uptime get admin hash password # config global # config sys admin # show shutdown/reboot # execute shutdown or # execute reboot [[category:fortinet]] b591788cc3ec11fd832844b4830314ca37ff78b2 870 869 2022-08-24T22:23:42Z Nighthawk 1 /* routes */ wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> ==routes== # config router static # edit <route_index> # set device "<interface_name>" # set dst "<destination_ip>" # set gateway "<router_ip>" for default gw.. # set dst 0.0.0.0 0.0.0.0 HA status # config global # get sys ha status HA failover to highest priority (if it is not currently Master) on current master run... # config global # diagnose sys ha reset-uptime get admin hash password # config global # config sys admin # show [[category:fortinet]] 033c55bb057c24d73a28f93ca7b5d833318c2ab3 869 868 2022-08-24T22:22:38Z Nighthawk 1 wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> ==routes== config router static edit <route_index> set device "<interface_name>" set dst "<destination_ip>" set gateway "<router_ip>" HA status # config global # get sys ha status HA failover to highest priority (if it is not currently Master) on current master run... # config global # diagnose sys ha reset-uptime get admin hash password # config global # config sys admin # show [[category:fortinet]] a6aabf04ce1844a31c0660c002ba4e767719b1ba 868 867 2022-08-21T08:14:10Z Nighthawk 1 wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> HA status # config global # get sys ha status HA failover to highest priority (if it is not currently Master) on current master run... # config global # diagnose sys ha reset-uptime get admin hash password # config global # config sys admin # show [[category:fortinet]] e3f182851ba845f50390cef7365a6aab4ec6f390 867 866 2022-08-15T00:54:40Z Nighthawk 1 wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> HA status # config global # get sys ha status get admin hash password # config global # config sys admin # show [[category:fortinet]] 5bad8d6c3e3de749014986d01b7716001640f1b6 866 865 2022-05-07T18:13:01Z Nighthawk 1 wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # ==interface commands== for admin status, link stat, speeds, counters... # config global # get hardware nic <interface name> [[category:fortinet]] 7312f337c1402d2a7e4645ebfc2beda944668c4f 865 864 2021-12-02T16:30:08Z Nighthawk 1 wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # [[category:fortinet]] ff30b60a42f456dd5a6b91bc313072f6a6e0325f 864 2021-12-02T16:29:53Z Nighthawk 1 Created page with " ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # [[category:fortinet]]" wikitext text/x-wiki ==vdom== entering editing a vdom # config vdom (vdom) # edit myvdom (myvdom) # [[category:fortinet]] 1b37df8e919fd23497353224e3acff45562d6b3c fortinet downloads 0 269 918 2024-06-20T21:18:53Z Nighthawk 1 Created page with "https://support.fortinet.com/Download/FirmwareImages.aspx" wikitext text/x-wiki https://support.fortinet.com/Download/FirmwareImages.aspx 4a27edf9a560a8106d818448a4dc3801b7d53477 fw audit log parsing via CLI 0 113 206 205 2013-08-21T14:14:48Z Nighthawk 1 wikitext text/x-wiki Log entries and field changes are separated by semicolons in the fw.adtlog file. It is very difficult to read, even with the smartview tracker. The command line below run on the SmartCenter or from a CMA environment will output the log file in an easy to read format to terminal. parse # fw log -ln -s "Aug 19,2013 21:45:00" -e "Aug 20,2013 23:59:00" fw.adtlog | awk -F ";" '{for (i=1; i<=NF; i++) printf $i "\n"}' example output... 19Aug2013 21:53:01 accept 192.168.1.1 < ObjectName: test_group_object ObjectType: network_object_group ObjectTable: network_objects Operation: Modify Object Uid: {F7F0772C-0917-11E3-8A4F-ABB20701CFCF} Administrator: jsmith Machine: lab-mds FieldsChanges: test_group_object: added 'test_client' [[category:logging]] 205 2013-08-21T14:14:14Z Nighthawk 1 Created page with "Log entries and field changes are separated by semicolons in the fw.adtlog file. It is very difficult to read, even with the smartview tracker. The command line below run o..." wikitext text/x-wiki Log entries and field changes are separated by semicolons in the fw.adtlog file. It is very difficult to read, even with the smartview tracker. The command line below run on the SmartCenter or from a CMA environment will output the log file in an easy to read format to terminal. parse fw log -ln -s "Aug 19,2013 21:45:00" -e "Aug 20,2013 23:59:00" fw.adtlog | awk -F ";" '{for (i=1; i<=NF; i++) printf $i "\n"}' 19Aug2013 21:53:01 accept 192.168.1.1 < ObjectName: test_group_object ObjectType: network_object_group ObjectTable: network_objects Operation: Modify Object Uid: {F7F0772C-0917-11E3-8A4F-ABB20701CFCF} Administrator: jsmith Machine: lab-mds FieldsChanges: test_group_object: added 'test_client' [[category:logging]] fw log command line example 0 17 550 154 2015-01-20T20:23:48Z Nighthawk 1 wikitext text/x-wiki ==fw log command line examples == fw log -ln -h 192.168.1.1 -s "Sep 1, 2011 15:00:00" -e "Sep 1, 2011 19:00:00" fw.log [[category:check point]] 154 153 2013-06-21T15:44:23Z Nighthawk 1 moved [[Check point firewall command reference]] to [[fw log command line example]] wikitext text/x-wiki ==fw log command line examples == fw log -ln -h 192.168.1.1 -s "Sep 1, 2011" 15:00:00 -e "Sep 1, 2011" 19:00:00 fw.log [[category:check point]] 153 152 2013-06-21T15:44:07Z Nighthawk 1 Undo revision 152 by [[Special:Contributions/Nighthawk|Nighthawk]] ([[User talk:Nighthawk|talk]]) wikitext text/x-wiki ==fw log command line examples == fw log -ln -h 192.168.1.1 -s "Sep 1, 2011" 15:00:00 -e "Sep 1, 2011" 19:00:00 fw.log [[category:check point]] 152 151 2013-06-21T15:43:18Z Nighthawk 1 Undo revision 151 by [[Special:Contributions/Nighthawk|Nighthawk]] ([[User talk:Nighthawk|talk]]) wikitext text/x-wiki ==fw log command line examples == fw log -ln -h 171.160.122.50 -s "Sep 1, 2011" 15:00:00 -e "Sep 1, 2011" 19:00:00 2011-09-01_190552_291.log>/var/tmp/kdmzric2_logs_1500gmt_to_1900gmt_sep1.txt [[category:check point]] 151 21 2013-06-21T15:14:50Z Nighthawk 1 wikitext text/x-wiki ==fw log command line examples == fw log -ln -h 192.168.1.1 -s "Sep 1, 2011" 15:00:00 -e "Sep 1, 2011" 19:00:00 fw.log [[category:check point]] 21 2013-02-25T22:55:48Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki ==fw log command line examples == fw log -ln -h 171.160.122.50 -s "Sep 1, 2011" 15:00:00 -e "Sep 1, 2011" 19:00:00 2011-09-01_190552_291.log>/var/tmp/kdmzric2_logs_1500gmt_to_1900gmt_sep1.txt [[category:check point]] fw tab - Check Point man page 0 132 348 347 2014-02-28T18:16:40Z Nighthawk 1 /* Comments */ wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t <nowiki> <table> </nowiki> | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} == Example == # fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2;3,4,5" or or # fw tab -t <nowiki> <table-name> </nowiki> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<nowiki> <table-name></nowiki> # fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2," or # fw tab -t <nowiki> <table-name> </nowiki> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<nowiki> <table-name> </nowiki> contains the following<0000000,00000001,00000002> entry: <0000000,00000001,00000002> # fw tab-t<nowiki> <table-name></nowiki> -x-e"0,1" or # fw tab-t<nowiki> <table-name></nowiki> -x-e"0,1;2" Removes the entry from the specified table. == Comments == If table has the 'expire' attribute, entries added using the -a flag will receive the default table timeout. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. [[category:man pages]] [[category:version R75]] [[category:check point]] 347 346 2014-02-28T18:16:32Z Nighthawk 1 /* Example */ wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t <nowiki> <table> </nowiki> | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} == Example == # fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2;3,4,5" or or # fw tab -t <nowiki> <table-name> </nowiki> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<nowiki> <table-name></nowiki> # fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2," or # fw tab -t <nowiki> <table-name> </nowiki> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<nowiki> <table-name> </nowiki> contains the following<0000000,00000001,00000002> entry: <0000000,00000001,00000002> # fw tab-t<nowiki> <table-name></nowiki> -x-e"0,1" or # fw tab-t<nowiki> <table-name></nowiki> -x-e"0,1;2" Removes the entry from the specified table. == Comments == If table has the 'expire' attribute, entries added using the -a flag will receive the default table timeout. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. [[category:man pages]] [[category:version R75]] [[category:check point]] 346 345 2014-02-28T18:16:05Z Nighthawk 1 /* Example */ wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t <nowiki> <table> </nowiki> | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} == Example == # fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2;3,4,5" or or # fw tab -t <nowiki> <table-name> </nowiki> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<nowiki> <table-name></nowiki> # fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2," or # fw tab -t <nowiki> <table-name> </nowiki> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<nowiki> <table-name> </nowiki> contains the following<0000000,00000001,00000002> entry: <0000000,00000001,00000002> # fw tab-t<nowiki> <table-name></nowiki> -x-e"0,1" or # fw tab-t<nowiki> <table-name></nowiki> -x-e"0,1;2" Removes the entry from the specified table. == Comments == If table has the 'expire' attribute, entries added using the -a flag will receive the default table timeout. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. [[category:man pages]] [[category:version R75]] [[category:check point]] 345 344 2014-02-28T18:15:08Z Nighthawk 1 /* Example */ wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t <nowiki> <table> </nowiki> | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} == Example == # fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2;3,4,5" or or # fw tab -t <nowiki> <table-name> </nowiki> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<nowiki> <table-name></nowiki> # fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2," or # fw tab -t <nowiki> <table-name> </nowiki> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<table-name> contains the following<0000000,00000001,00000002> entry: <0000000,00000001,00000002> # fw tab-t<nowiki> <table-name></nowiki> -x-e"0,1" or # fw tab-t<nowiki> <table-name></nowiki> -x-e"0,1;2" Removes the entry from the specified table. == Comments == If table has the 'expire' attribute, entries added using the -a flag will receive the default table timeout. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. [[category:man pages]] [[category:version R75]] [[category:check point]] 344 343 2014-02-28T18:14:38Z Nighthawk 1 /* Example */ wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t <nowiki> <table> </nowiki> | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} == Example == # fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2;3,4,5" or or fw tab -t <nowiki> <table-name> </nowiki> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<nowiki> <table-name></nowiki> fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2," or fw tab -t <nowiki> <table-name> </nowiki> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<table-name> contains the following<0000000,00000001,00000002> entry: <0000000,00000001,00000002> fwtab-t<nowiki> <table-name></nowiki> -x-e"0,1" or fwtab-t<nowiki> <table-name></nowiki> -x-e"0,1;2" Removes the entry from the specified table. == Comments == If table has the 'expire' attribute, entries added using the -a flag will receive the default table timeout. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. [[category:man pages]] [[category:version R75]] [[category:check point]] 343 342 2014-02-28T18:14:19Z Nighthawk 1 /* Example */ wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t <nowiki> <table> </nowiki> | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} == Example == # fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2;3,4,5" or or fw tab -t <nowiki> <table-name> </nowiki> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<nowiki> <table-name></nowiki> fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2," or fw tab -t <nowiki> <table-name> </nowiki> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<table-name> contains the following<0000000,00000001,00000002> entry: <0000000,00000001,00000002> fwtab-t<nowiki> <table-name></nowiki> -x-e"0,1" or fwtab-t<nowiki> <table-name></nowiki> -x-e"0,1;2" Removes the entry from the specified table. == Comments == If table has the 'expire' attribute, entries added using the -a flag will receive the default table timeout. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. [[category:man pages]] [[category:version R75]] [[category:check point]] 342 341 2014-02-28T18:12:32Z Nighthawk 1 /* Example */ wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t <nowiki> <table> </nowiki> | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} == Example == fw tab -t <nowiki> <table-name> </nowiki> -a -e "1,2;3,4,5" or or fw tab -t <table-name> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<table-name> fw tab -t <table-name> -a -e "1,2," or fw tab -t <table-name> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<table-name> contains the following<0000000,00000001,00000002> entry: <0000000,00000001,00000002> fwtab-t<table-name>-x-e"0,1" or fwtab-t<table-name>-x-e"0,1;2" Removes the entry from the specified table. == Comments == If table has the 'expire' attribute, entries added using the -a flag will receive the default table timeout. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. [[category:man pages]] [[category:version R75]] [[category:check point]] 341 340 2014-02-28T18:11:55Z Nighthawk 1 /* Syntax */ wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t <nowiki> <table> </nowiki> | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} == Example == fw tab -t <table-name> -a -e "1,2;3,4,5" or or fw tab -t <table-name> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<table-name> fw tab -t <table-name> -a -e "1,2," or fw tab -t <table-name> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<table-name> contains the following<0000000,00000001,00000002> entry: <0000000,00000001,00000002> fwtab-t<table-name>-x-e"0,1" or fwtab-t<table-name>-x-e"0,1;2" Removes the entry from the specified table. == Comments == If table has the 'expire' attribute, entries added using the -a flag will receive the default table timeout. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. [[category:man pages]] [[category:version R75]] [[category:check point]] 340 339 2014-02-28T18:11:48Z Nighthawk 1 /* Syntax */ wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} == Example == fw tab -t <table-name> -a -e "1,2;3,4,5" or or fw tab -t <table-name> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<table-name> fw tab -t <table-name> -a -e "1,2," or fw tab -t <table-name> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<table-name> contains the following<0000000,00000001,00000002> entry: <0000000,00000001,00000002> fwtab-t<table-name>-x-e"0,1" or fwtab-t<table-name>-x-e"0,1;2" Removes the entry from the specified table. == Comments == If table has the 'expire' attribute, entries added using the -a flag will receive the default table timeout. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. [[category:man pages]] [[category:version R75]] [[category:check point]] 339 338 2014-02-28T18:11:28Z Nighthawk 1 /* Example */ wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t <nowiki> <table> </nowiki> | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} == Example == fw tab -t <table-name> -a -e "1,2;3,4,5" or or fw tab -t <table-name> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<table-name> fw tab -t <table-name> -a -e "1,2," or fw tab -t <table-name> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<table-name> contains the following<0000000,00000001,00000002> entry: <0000000,00000001,00000002> fwtab-t<table-name>-x-e"0,1" or fwtab-t<table-name>-x-e"0,1;2" Removes the entry from the specified table. == Comments == If table has the 'expire' attribute, entries added using the -a flag will receive the default table timeout. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. [[category:man pages]] [[category:version R75]] [[category:check point]] 338 337 2014-02-28T18:10:25Z Nighthawk 1 /* Description */ wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t <nowiki> <table> </nowiki> | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} == Example == fw tab -t <table-name> -a -e "1,2;3,4,5" or fw tab -t <table-name> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<table-name> fw tab -t <table-name> -a -e "1,2," or fw tab -t <table-name> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<table-name> contains the following<0000000,00000001,00000002> entry: <0000000,00000001,00000002> fwtab-t<table-name>-x-e"0,1" or fwtab-t<table-name>-x-e"0,1;2" Removes the entry from the specified table. == Comments == If table has the 'expire' attribute, entries added using the -a flag will receive the default table timeout. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. [[category:man pages]] [[category:version R75]] [[category:check point]] 337 336 2014-02-28T18:10:14Z Nighthawk 1 wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t <nowiki> <table> </nowiki> | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} == Example == fw tab -t <table-name> -a -e "1,2;3,4,5" or fw tab -t <table-name> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<table-name> fw tab -t <table-name> -a -e "1,2," or fw tab -t <table-name> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<table-name> contains the following<0000000,00000001,00000002> entry: <0000000,00000001,00000002> fwtab-t<table-name>-x-e"0,1" or fwtab-t<table-name>-x-e"0,1;2" Removes the entry from the specified table. == Comments == If table has the 'expire' attribute, entries added using the -a flag will receive the default table timeout. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. [[category:man pages]] [[category:version R75]] [[category:check point]] 336 2014-02-28T18:07:00Z Nighthawk 1 Created page with "== fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table ..." wikitext text/x-wiki == fw tab == == Description == The fw tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). == Usage == fw tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a} -e entry] [-y] [hostname]" == Syntax == {| cellspacing="5" border="1" ! align="left"|Argument !Description |- | -t table | Specifies a table for the command. |- | -s | Displays a short summary of the table (s) information. |- | -y | Specifies to not prompt a user before executing any commands. |- | -f | Displays a formatted version of the table content. Every table may have its own specific format style. |- | -o <filename> | Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. |- | -c | Displays formatted table information in common format. |- | -r | Resolves IP addresses in formatted output. |- | -x, -a, -e | It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). Caution - Improper use of the -a and -x flags may cause system instability. |- | [hostname] | A list of one or more targets. When not used, the local machine is used as the default target. |} Example fw tab -t <table-name> -a -e "1,2;3,4,5" or fw tab -t <table-name> -a -e "<1,2;3,4,5>" Adds an entry: <00000001,00000002,00000003,00000004,00000005,>to<table-name> fw tab -t <table-name> -a -e "1,2," or fw tab -t <table-name> -a -e "<1,2>" Adds an entry with only a key field: <00000001,00000002> If table<table-name> contains the following<0000000,00000001,00000002> entry: [[category:man pages]] [[category:version R75]] [[category:check point]] fwd log buffer parameters 0 192 583 2016-06-03T13:49:24Z Nighthawk 1 Created page with "[admin@chkpfw1 ~]# grep FW_ASYC_BUFFER_FOR_FWD /opt/CPshrd-R77/registry/HKLM_registry.data :FW_ASYC_BUFFER_FOR_FWD ("[4]3000") [admin@c..." wikitext text/x-wiki [admin@chkpfw1 ~]# grep FW_ASYC_BUFFER_FOR_FWD /opt/CPshrd-R77/registry/HKLM_registry.data :FW_ASYC_BUFFER_FOR_FWD ("[4]3000") [admin@chkpfw1 ~]# grep BUFFER_RECS_FOR_FWD /opt/CPshrd-R77/registry/HKLM_registry.data :BUFFER_RECS_FOR_FWD ("[4]40000") [[category:logging]] 21670cb359be02143b0ea1f0927aa54c21934bac gaia - adding an alias interface 0 209 636 635 2017-04-30T02:44:23Z Nighthawk 1 wikitext text/x-wiki at the clish prompt mygw> add interface eth0 alias 192.168.1.10/24 the alias created will look like... eth0:1 Link encap:Ethernet HWaddr 82:3E:FC:AF:B5:80 inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:185 Base address:0xa000 a5d46a251e57712be586d0586fdcbb93a0ceb2f5 635 2017-04-30T02:41:03Z Nighthawk 1 Created page with " at the clish prompt mygw> add interface eth0 alias 192.168.1.10/24" wikitext text/x-wiki at the clish prompt mygw> add interface eth0 alias 192.168.1.10/24 e7ce56325de9240f0bd93ccb3c3d9d848eac8ca8 gaia 77.30 bug 0 188 570 569 2016-01-18T16:29:02Z Nighthawk 1 wikitext text/x-wiki [Expert@chkpfw1:0]# clish -c "set user admin newpass abc1235" CLINFR0710 Illegal characters [Expert@chkpfw1:0]# clish -c "set user admin newpass abc1235" CLINFR0710 Illegal characters [Expert@chkpfw1:0]# clish -c "set user admin newpass abc1235" CLINFR0710 Illegal characters [Expert@chkpfw1:0]# cat /etc/cp-release Check Point Gaia R77.30 [Expert@chkpfw1:0]# clish chkpfw1> set user admin newpass abc1235 CLINFR0710 Illegal characters chkpfw1> exit [Expert@chkpfw1:0]# clish chkpfw1> set user admin newpass abc1235 CLINFR0710 Illegal characters chkpfw1> set user admin newpass abc1235 chkpfw1> save config 569 2016-01-18T16:28:13Z Nighthawk 1 Created page with "[Expert@chkpfw1:0]# clish -c "set user admin newpass abc1235" CLINFR0710 Illegal characters [Expert@chkpfw1:0]# clish -c "set user admin newpass abc1235" CLINFR0710 Ille..." wikitext text/x-wiki [Expert@chkpfw1:0]# clish -c "set user admin newpass abc1235" CLINFR0710 Illegal characters [Expert@chkpfw1:0]# clish -c "set user admin newpass abc1235" CLINFR0710 Illegal characters [Expert@chkpfw1:0]# clish -c "set user admin newpass abc1235" CLINFR0710 Illegal characters [Expert@chkpfw1:0]# cat /etc/cp-release Check Point Gaia R77.30 [Expert@chkpfw1:0]# clish chkpfw1> set user admin newpass abc1235 CLINFR0710 Illegal characters chkpfw1> exit [Expert@chkpfw1:0]# clish chkpfw1> set user admin newpass abc1235 CLINFR0710 Illegal characters chkpfw1> set user admin newpass abc1235 chkpfw1> save config gaia CLI upgrades 0 210 640 639 2017-04-30T20:02:25Z Nighthawk 1 /* R75.40 to R77.10 */ wikitext text/x-wiki ==R75.40 to R77.10== To upgrade using an ISO image on a DVD: Note - This procedure is not supported on IP Appliances. 1. Download the Gaia ISO image from the Check Point Support Center http://supportcontent.checkpoint.com/solutions?id=sk92965. Check_Point_Install_and_Upgrade_R77.Gaia.iso 2. Mount the iso image to the device to be upgraded. This can be done via physical drive, or virtually attaching the iso. 3. From clish, run: upgrade cd ==troubleshooting== === error: mount failed === chkpmgr> upgrade cd UPGRADE: mount failed: Device or resource busy in this scenario, i had manually mounted the /dev/cdrom to /mnt/cdrom. this is not needed and even causes the upgrade command to fail. I solve it by unmounting the cdrom. # umount /dev/cdrom bc04f64bfbc873690e5e1467da7486089c53ab1a 639 638 2017-04-30T19:57:42Z Nighthawk 1 /* R75.40 to R77.10 */ wikitext text/x-wiki ==R75.40 to R77.10== To upgrade using an ISO image on a DVD: Note - This procedure is not supported on IP Appliances. 1. Download the Gaia ISO image from the Check Point Support Center http://supportcontent.checkpoint.com/solutions?id=sk92965. Check_Point_Install_and_Upgrade_R77.Gaia.iso 2. Burn the ISO file on a DVD. 3. Connect an external DVD drive to a USB socket on the appliance or open server. 4. From clish, run: upgrade cd ==troubleshooting== === error: mount failed === chkpmgr> upgrade cd UPGRADE: mount failed: Device or resource busy in this scenario, i had manually mounted the /dev/cdrom to /mnt/cdrom. this is not needed and even causes the upgrade command to fail. I solve it by unmounting the cdrom. # umount /dev/cdrom 54eb918d5ad0a5985ad16f620515ee36f9e574ca 638 2017-04-30T19:56:33Z Nighthawk 1 Created page with " ==R75.40 to R77.10== To upgrade using an ISO image on a DVD: Note - This procedure is not supported on IP Appliances. 1. Download the Gaia ISO image from the Check Point Su..." wikitext text/x-wiki ==R75.40 to R77.10== To upgrade using an ISO image on a DVD: Note - This procedure is not supported on IP Appliances. 1. Download the Gaia ISO image from the Check Point Support Center http://supportcontent.checkpoint.com/solutions?id=sk92965. Check_Point_Install_and_Upgrade_R77.Gaia.iso 2. Burn the ISO file on a DVD. 3. Connect an external DVD drive to a USB socket on the appliance or open server. 4. From clish, run: upgrade cd ==troubleshooting== === error: mount failed === chkpmgr> upgrade cd UPGRADE: mount failed: Device or resource busy in this scenario, i had manually mounted the /dev/cdrom to /mnt/cdrom. this is not needed and even causes the upgrade command to fail. I solve it by unmounting the cdrom. # umount /dev/cdrom 56d556f0781c4d050bc2692e63ddbe96f19090a3 gaia list interface parameters on a single line 0 194 586 2016-06-10T03:38:50Z Nighthawk 1 Created page with "clish -c "show interfaces" | grep -v -E "lo|Mgmt|Sync" | while read line; do printf "$line,"; for i in state link-state speed duplex ipv4-address auto-negotiation mtu monitor-..." wikitext text/x-wiki clish -c "show interfaces" | grep -v -E "lo|Mgmt|Sync" | while read line; do printf "$line,"; for i in state link-state speed duplex ipv4-address auto-negotiation mtu monitor-mode; do PARAM=`clish -c "show interface $line $i"`; printf "$PARAM,"; done; echo; done 8bd62743cb73e620cf47536eae2556bc180555f3 gaia log rotation settings 0 245 789 2018-05-23T15:36:51Z Nighthawk 1 Created page with "found in... /etc/cpshell/log_rotation.conf" wikitext text/x-wiki found in... /etc/cpshell/log_rotation.conf 233cfeb975967b5b9e246db52d04683b0e8ffab0 gaia setup via CLI 0 191 578 577 2016-04-13T17:03:47Z Nighthawk 1 /* creating a config template */ wikitext text/x-wiki we don't like wizards... == creating a config template == # config_system --create-template <template_name> edit the template and fill out fields per comments test the validity of the template # config_system --config-file <template_name> --dry-run once validated, run it on a newly installed system without the dry run option # config_system --config-file <template_name> == backing up configs == This is not snapshotting an filesystems, only the configuration. # clish -c "show configuration" > backupfile 577 2016-04-13T17:03:31Z Nighthawk 1 Created page with "we don't like wizards... == creating a config template == # config_system --create-template <template_name> edit the template and fill out fields per comments test the v..." wikitext text/x-wiki we don't like wizards... == creating a config template == # config_system --create-template <template_name> edit the template and fill out fields per comments test the validity of the template # config_system --config-file <template_name> --dry-run once validated, run it on a newly installed system without the dry run option # config_system --config-file <template_name> == backing up configs == This is not snapshotting an filesystems, only the configuration. # clish -c "show configuration" > backupfile gaia vrrp setup using CLI 0 123 262 2013-09-15T08:44:40Z Nighthawk 1 moved [[gaia vrrp setup using CLI]] to [[Gaia VRRP setup guide]] wikitext text/x-wiki #REDIRECT [[Gaia VRRP setup guide]] geoprotection 0 155 430 2014-05-02T05:56:35Z Nighthawk 1 Created page with "iptocountry data file location $FWDIR/tmp/geo_location_tmp/updates/IpToCountry.csv == file format == # FILE FORMAT IPV4 # ================ # # ---------------------..." wikitext text/x-wiki iptocountry data file location $FWDIR/tmp/geo_location_tmp/updates/IpToCountry.csv == file format == # FILE FORMAT IPV4 # ================ # # -------------------------------------------------------------- # All lines beginning with either "#" or whitespace are comments # -------------------------------------------------------------- # # IP FROM IP TO REGISTRY ASSIGNED CTRY CNTRY COUNTRY # "1346797568","1346801663","ripencc","20010601","il","isr","Israel" # # IP FROM & : Numerical representation of IP address. # IP TO Example: (from Right to Left) # 1.2.3.4 = 4 + (3 * 256) + (2 * 256 * 256) + (1 * 256 * 256 * 256) # is 4 + 768 + 13,1072 + 16,777,216 = 16,909,060 # # REGISTRY : apcnic, arin, lacnic, ripencc and afrinic # Also included as of April 22, 2005 are the IANA IETF Reserved # address numbers. These are important since any source claiming # to be from one of these IPs must be spoofed. # # ASSIGNED : The date this IP or block was assigned. (In Epoch seconds) # NOTE: Where the allocation or assignment has been transferred from # one registry to another, the date represents the date of first # assignment or allocation as received in from the original RIR. # It is noted that where records do not show a date of first # assignment, the date is given as "0". # # CTRY : 2 character international country code # NOTE: ISO 3166 2-letter code of the organisation to which the # allocation or assignment was made, and the enumerated variances of: # AP - non-specific Asia-Pacific location # CS - Serbia and Montenegro # YU - Serbia and Montenegro (Formally Yugoslavia) (Being phased out) # EU - non-specific European Union location # FX - France, Metropolitan # PS - Palestinian Territory, Occupied # UK - United Kingdom (standard says GB) # * ZZ - IETF RESERVED address space. take from [http://netwinsite.com/surgemail/IpToCountry.csv http://netwinsite.com/surgemail/IpToCountry.csv] get cmm status 0 146 409 408 2014-04-07T02:56:23Z Nighthawk 1 wikitext text/x-wiki example (normal status) [Expert@my61k]# '''asg_chassis_ctrl get_cmm_status''' Getting CMM(s) status CMM #1 -> Health: 1, Active: 1 CMM #2 -> Health: 1, Active: 0 Active CMM firmware version: 2.70 example (problem status) [Expert@my61k]# '''asg_chassis_ctrl get_cmm_status''' Getting CMM(s) status CMM #1 -> Health: 0, Active: 1 CMM #2 -> Health: 0, Active: 0 Active CMM firmware version: 2.83 [[category:61000]] 408 2014-04-06T05:23:59Z Nighthawk 1 Created page with " # asg_chassis_ctrl get_cmm_status Getting CMM(s) status CMM #1 -> Health: 0, Active: 1 CMM #2 -> Health: 0, Active: 0 Active CMM firmware version: 2.83 [Expert@PDM..." wikitext text/x-wiki # asg_chassis_ctrl get_cmm_status Getting CMM(s) status CMM #1 -> Health: 0, Active: 1 CMM #2 -> Health: 0, Active: 0 Active CMM firmware version: 2.83 [Expert@PDMZRIC_UPPER-ch02-01]# asg_chassis_ctrl get_cmm_status Getting CMM(s) status CMM #1 -> Health: 1, Active: 1 CMM #2 -> Health: 1, Active: 0 Active CMM firmware version: 2.70 [[category:61000]] get or set active / backup status from CMM CLI 0 148 417 416 2014-04-15T15:34:03Z Nighthawk 1 wikitext text/x-wiki To get CMM (shmm) status after logging into the CMM, use the commands below. shmm500 login: admin Password: == get status == # clia shmstatus Pigeon Point Shelf Manager Command Line Interpreter Host: "Active" # clia shmstatus Pigeon Point Shelf Manager Command Line Interpreter Running on the Backup Shelf Manager, with limited functionality Host: "Backup" == set status == The swithover command will change the active CMM/shmm. All it seems to do is reboot the Active CMM. If run from the Backup CMM (in the example below), it will reboot the other CMM. If run on the active, it will immediately reboot on you. example when run from the Backup CMM/shmm # clia switchover Pigeon Point Shelf Manager Command Line Interpreter Running on the Backup Shelf Manager, with limited functionality Sending switchover request to the Active Host [[category:cmm]] [[category:61000]] 416 415 2014-04-15T15:30:00Z Nighthawk 1 moved [[get active / backup status from CMM CLI]] to [[get or set active / backup status from CMM CLI]] wikitext text/x-wiki To get CMM (shmm) status after logging into the CMM, use the commands below. shmm500 login: admin Password: # clia shmstatus Pigeon Point Shelf Manager Command Line Interpreter Host: "Active" # clia shmstatus Pigeon Point Shelf Manager Command Line Interpreter Running on the Backup Shelf Manager, with limited functionality Host: "Backup" [[category:cmm]] [[category:61000]] 415 2014-04-15T15:24:23Z Nighthawk 1 Created page with "To get CMM (shmm) status after logging into the CMM, use the commands below. shmm500 login: admin Password: # clia shmstatus Pigeon Point Shelf Manager Command Line ..." wikitext text/x-wiki To get CMM (shmm) status after logging into the CMM, use the commands below. shmm500 login: admin Password: # clia shmstatus Pigeon Point Shelf Manager Command Line Interpreter Host: "Active" # clia shmstatus Pigeon Point Shelf Manager Command Line Interpreter Running on the Backup Shelf Manager, with limited functionality Host: "Backup" [[category:cmm]] [[category:61000]] growing root partition 0 187 568 567 2015-12-04T07:10:36Z Nighthawk 1 /* Solution */ wikitext text/x-wiki == Problem == insufficient disk space in /opt to apply an upgrade. O.S. : secure platform (splat) or gaia Check Point versions: multiple == Solution == Use available, unallocated disk space. Newer Check Point version use LVM. Check Point often doesn't allocate it all. This not a bad thing. It is a common, best practice with LVM. This allows admins to easily grow partitions as needed using the free disk space. If you allocated it all up front, but needed one partition bigger, you would have to shrink one to grow another. This is more complicated. With root, it can't be shrunk while the system is running(it can be grown as we are about to see). '''Example''' [Expert@chkpfw1:0]# '''df -h''' Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_splat-lv_current 4.9G 3.6G 1.1G 77% / <<< root does't have enough space for my 77.30 upgrade :( /dev/hda1 289M 24M 251M 9% /boot tmpfs 217M 0 217M 0% /dev/shm /dev/mapper/vg_splat-lv_log 6.8G 3.7G 2.9G 57% /var/log Check the volumn groups for Free space [Expert@chkpfw2:0]# '''vgdisplay | grep -i size''' VG Size 18.69 GB PE Size 32.00 MB Alloc PE / Size 384 / 12.00 GB Free PE / Size 214 / 6.69 GB <<< yay! I have some! adding/growing the logical volume "container" [Expert@chkpfw2:0]# '''lvresize -L +6.69GB vg_splat/lv_current''' Rounding up size to full physical extent 6.72 GB Extending logical volume lv_current to 11.72 GB Insufficient free space: 215 extents needed, but only 214 available that failed... specifying the increase in GB is less precise. So, lets use "extents" [Expert@chkpfw2:0]# '''lvresize -l +214 vg_splat/lv_current''' Extending logical volume lv_current to 11.69 GB Logical volume lv_current successfully resized verifying new volume group size [Expert@chkpfw2:0]# vgdisplay | grep -i -E "name|size" VG Name vg_splat VG Size 18.69 GB PE Size 32.00 MB Alloc PE / Size 598 / 18.69 GB Free PE / Size 0 / 0 growing the file system to fill the "container" [Expert@chkpfw2:0]# '''resize2fs /dev/mapper/vg_splat-lv_current''' resize2fs 1.39 (29-May-2006) Filesystem at /dev/mapper/vg_splat-lv_current is mounted on /; on-line resizing required Performing an on-line resize of /dev/mapper/vg_splat-lv_current to 3063808 (4k) blocks. The filesystem on /dev/mapper/vg_splat-lv_current is now 3063808 blocks long. viewing newly allocated disk space [Expert@chkpfw2:0]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_splat-lv_current 12G 3.6G 7.2G 33% / /dev/hda1 289M 24M 251M 9% /boot tmpfs 217M 0 217M 0% /dev/shm /dev/mapper/vg_splat-lv_log 6.8G 2.2G 4.3G 34% /var/log So, we grew root while the system had it mounted and was running from it. Thank you LVM! 567 566 2015-12-04T07:10:18Z Nighthawk 1 wikitext text/x-wiki == Problem == insufficient disk space in /opt to apply an upgrade. O.S. : secure platform (splat) or gaia Check Point versions: multiple == Solution == Use available, unallocated disk space. Newer Check Point version use LVM. Check Point often doesn't allocate it all. This not a bad thing. It is a common, best practice with LVM. This allows admins to easily grow partitions as needed using the free disk space. If you allocated it all up front, but needed one partition bigger, you would have to shrink one to grow another. This is more complicated. With root, it can't be shrunk while the system is running(it can be grown as we are about to see). '''Example''' [Expert@chkpfw1:0]# '''df -h''' Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_splat-lv_current 4.9G 3.6G 1.1G 77% / <<< root does't have enough space for my 77.30 upgrade :( /dev/hda1 289M 24M 251M 9% /boot tmpfs 217M 0 217M 0% /dev/shm /dev/mapper/vg_splat-lv_log 6.8G 3.7G 2.9G 57% /var/log Check the volumn groups for Free space [Expert@chkpfw2:0]# '''vgdisplay | grep -i size''' VG Size 18.69 GB PE Size 32.00 MB Alloc PE / Size 384 / 12.00 GB Free PE / Size 214 / 6.69 GB <<< yay! I have some! adding/growing the logical volume "container" [Expert@chkpfw2:0]# '''lvresize -L +6.69GB vg_splat/lv_current''' Rounding up size to full physical extent 6.72 GB Extending logical volume lv_current to 11.72 GB Insufficient free space: 215 extents needed, but only 214 available that failed... specifying the increase in GB is less precise. So, lets use "extents" [Expert@chkpfw2:0]# '''lvresize -l +214 vg_splat/lv_current''' Extending logical volume lv_current to 11.69 GB Logical volume lv_current successfully resized verifying new volume group size [Expert@chkpfw2:0]# vgdisplay | grep -i -E "name|size" VG Name vg_splat VG Size 18.69 GB PE Size 32.00 MB Alloc PE / Size 598 / 18.69 GB Free PE / Size 0 / 0 growing the file system to fill the "container" [Expert@chkpfw2:0]# '''resize2fs /dev/mapper/vg_splat-lv_current''' resize2fs 1.39 (29-May-2006) Filesystem at /dev/mapper/vg_splat-lv_current is mounted on /; on-line resizing required Performing an on-line resize of /dev/mapper/vg_splat-lv_current to 3063808 (4k) blocks. The filesystem on /dev/mapper/vg_splat-lv_current is now 3063808 blocks long. viewing newly allocated disk space [Expert@chkpfw2:0]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_splat-lv_current 12G 3.6G 7.2G 33% / /dev/hda1 289M 24M 251M 9% /boot tmpfs 217M 0 217M 0% /dev/shm /dev/mapper/vg_splat-lv_log 6.8G 2.2G 4.3G 34% /var/log So, we grew root while the system had it mounted and was running from it. Thank you LVM! 566 565 2015-12-04T07:06:03Z Nighthawk 1 wikitext text/x-wiki == Problem == insufficient disk space to apply an upgrade. O.S. : secure platform (splat) or gaia Check Point versions: multiple == Solution == Use available, unallocated disk space. Newer Check Point version use LVM. Check Point often doesn't allocate it all. This not a bad thing. It is a common, best practice with LVM. This allows admins to easily grow partitions as needed using the free disk space. If you allocated it all up front, but needed one partition bigger, you would have to shrink one to grow another. This is more complicated. With root, it can't be shrunk while the system is running(it can be grown as we are about to see). '''Example''' 20GB disk space [Expert@chkpfw2:0]# '''vgdisplay | grep -i size''' /dev/hdc: open failed: No medium found VG Size 18.69 GB PE Size 32.00 MB Alloc PE / Size 384 / 12.00 GB Free PE / Size 214 / 6.69 GB [Expert@chkpfw1:0]# '''df -h''' Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_splat-lv_current 4.9G 3.6G 1.1G 77% / /dev/hda1 289M 24M 251M 9% /boot tmpfs 217M 0 217M 0% /dev/shm /dev/mapper/vg_splat-lv_log 6.8G 3.7G 2.9G 57% /var/log adding 6 gig to the vg "container" [Expert@chkpfw2:0]# '''lvresize -L +6.69GB vg_splat/lv_current''' /dev/hdc: open failed: No medium found Rounding up size to full physical extent 6.72 GB Extending logical volume lv_current to 11.72 GB Insufficient free space: 215 extents needed, but only 214 available that failed... specifying the increase in GB is less precise. So, lets use "extents" [Expert@chkpfw2:0]# '''lvresize -l +214 vg_splat/lv_current''' /dev/hdc: open failed: No medium found Extending logical volume lv_current to 11.69 GB Logical volume lv_current successfully resized verifying resized volume group [Expert@chkpfw2:0]# vgdisplay | grep -i -E "name|size" /dev/hdc: open failed: No medium found VG Name vg_splat VG Size 18.69 GB PE Size 32.00 MB Alloc PE / Size 598 / 18.69 GB Free PE / Size 0 / 0 growing the file system to fill the "container" [Expert@chkpfw2:0]# '''resize2fs /dev/mapper/vg_splat-lv_current''' resize2fs 1.39 (29-May-2006) Filesystem at /dev/mapper/vg_splat-lv_current is mounted on /; on-line resizing required Performing an on-line resize of /dev/mapper/vg_splat-lv_current to 3063808 (4k) blocks. The filesystem on /dev/mapper/vg_splat-lv_current is now 3063808 blocks long. viewing newly allocated disk space [Expert@chkpfw2:0]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_splat-lv_current 12G 3.6G 7.2G 33% / /dev/hda1 289M 24M 251M 9% /boot tmpfs 217M 0 217M 0% /dev/shm /dev/mapper/vg_splat-lv_log 6.8G 2.2G 4.3G 34% /var/log So, we grew root while the system had it mounted and was running from it. Thank you LVM! 565 2015-12-04T06:39:56Z Nighthawk 1 Created page with " Example 20GB disk space [Expert@chkpfw1:0]# '''df -h''' Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_splat-lv_current 4...." wikitext text/x-wiki Example 20GB disk space [Expert@chkpfw1:0]# '''df -h''' Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_splat-lv_current 4.9G 3.6G 1.1G 77% / /dev/hda1 289M 24M 251M 9% /boot tmpfs 217M 0 217M 0% /dev/shm /dev/mapper/vg_splat-lv_log 6.8G 3.7G 2.9G 57% /var/log adding 6 gig... [Expert@chkpfw1:0]# '''lvresize -L +6GB vg_splat/lv_current''' Extending logical volume lv_current to 11.00 GB Logical volume lv_current successfully resized [Expert@chkpfw1:0]# '''resize2fs /dev/mapper/vg_splat-lv_current''' resize2fs 1.39 (29-May-2006) Filesystem at /dev/mapper/vg_splat-lv_current is mounted on /; on-line resizing required Performing an on-line resize of /dev/mapper/vg_splat-lv_current to 2883584 (4k) blocks. The filesystem on /dev/mapper/vg_splat-lv_current is now 2883584 blocks long. hit counter 0 218 689 688 2017-09-21T16:18:23Z Nighthawk 1 wikitext text/x-wiki == Prerequisites for hit counter functionality == Global Properties that must be enabled CLI to query(must be in CMA environment on an MDM) # cpmiquerybin object "" properties "name='firewall_properties'" | grep -i enable_hit_count :enable_hit_count (1) # cpmiquerybin object "" properties "name='firewall_properties'" | grep rulebase_uids_in_log :rulebase_uids_in_log (true) == max table size (on fw gateways) == [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk90040&partition=General&product=Security hit counter fw module max table size] sk90040 fw ctl get int fw_rules_uid_max_dic_entries fw ctl set int fw_rules_uid_max_dic_entries VALUE for surviving reboot... [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk26202 Changing the kernel global parameters for Check Point Security Gateway] 84c464db5e251863285f4e4171d2fd93b924c8af 688 2017-09-21T15:57:57Z Nighthawk 1 Created page with " [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk90040&partition=General&product=Security hit counter fw module ..." wikitext text/x-wiki [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk90040&partition=General&product=Security hit counter fw module max table size] sk90040 fw ctl get int fw_rules_uid_max_dic_entries fw ctl set int fw_rules_uid_max_dic_entries VALUE for surviving reboot... [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk26202 Changing the kernel global parameters for Check Point Security Gateway] c1ded3fd4e1d2e1ee13d99794749bb3ede966daf how stop annoying syslog messages to console on nokia ipso firewalls 0 154 427 2014-04-27T10:38:07Z Nighthawk 1 Created page with " dbset syslog:action:user:admin dbset syslog:action:user:admin:selector:all.err dbset syslog:action:user:admin:selector:auth.debug dbset syslog:action:user:all dbset sys..." wikitext text/x-wiki dbset syslog:action:user:admin dbset syslog:action:user:admin:selector:all.err dbset syslog:action:user:admin:selector:auth.debug dbset syslog:action:user:all dbset syslog:action:user:all:selector:all.emerg still a work in progress... [[category:nokia]] [[category:ipso]] how to determine corexl license support 0 109 199 2013-07-23T21:31:46Z Nighthawk 1 Created page with "How to determine the number of cores with CoreXL your firewall license supports. version: r70 license version: blade == license features == [admin]# cplic print Host ..." wikitext text/x-wiki How to determine the number of cores with CoreXL your firewall license supports. version: r70 license version: blade == license features == [admin]# cplic print Host Expiration Features 192.168.1.1 never CPAP-IP245X CPSB-FW CPSB-VPN CPSB-ADN CPSB-ACCL CPSB-IPS == find cp.macro == Support said to parse the cp.macro on the features above and look for a corresponding CPSG-C-x string, where x=maximum number of cores supported for CoreXL configuration by the license. In this example, the appliance license feature for the IP2450 nokia covers the CoreXL for up to 8 CPUs. [admin]# find / -name cp.macro /var/opt/CPsuite-R70/svn/conf/cp.macro # cat /var/opt/CPsuite-R70/svn/conf/cp.macro | grep -i cpsg-c ... output truncated MACRO ::CPAP-IP245x CPSG-C-8-U CPSG-U [[category:licensing]] how to increase the ring descriptor size on SecurePlatform 0 102 185 2013-07-18T22:31:39Z Nighthawk 1 Created page with "'''ring descriptor size set command''' ethtool -G ''interface_name'' rx ''SIZE'' tx '''SIZE''' To survive reboot, please add the above command to /etc/rc.local start-up scri..." wikitext text/x-wiki '''ring descriptor size set command''' ethtool -G ''interface_name'' rx ''SIZE'' tx '''SIZE''' To survive reboot, please add the above command to /etc/rc.local start-up script take from: Solution ID: sk60523 Product: SecurePlatform Version: R75 OS: SecurePlatform 2.6 [[category:NIC]] inspect 0 156 431 2014-05-02T06:01:59Z Nighthawk 1 Created page with " [http://etutorials.org/Networking/Check+Point+FireWall/Chapter+14.+INSPECT/Sample+INSPECT+Code/ http://etutorials.org/Networking/Check+Point+FireWall/Chapter+14.+INSPECT/Sa..." wikitext text/x-wiki [http://etutorials.org/Networking/Check+Point+FireWall/Chapter+14.+INSPECT/Sample+INSPECT+Code/ http://etutorials.org/Networking/Check+Point+FireWall/Chapter+14.+INSPECT/Sample+INSPECT+Code/] installing Check Point to Red Hat linux 0 142 656 383 2017-05-22T16:34:56Z Nighthawk 1 wikitext text/x-wiki == Version compatibility == as of 5-22-2017 see sk98760 and [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk44925 sk44925] for updates... R77.30/77.20(and some older versions): Red Hat linux 5.0, 5.4, 5.9, 6.5 R80.10: 5.5, 6.8, 7.3 For specifics regarding SmartCenter / MultiDomain (Provider-1)... [http://www.cpwiki.net/index.php/installing_Security_Management_on_Red_Hat_Enterprise_Linux_5 installing_Security_Management_on_Red_Hat_Enterprise_Linux_5] [[category:linux]] d7da380cc64bc767fb6eff07bc32fe20eaa0008a 383 382 2014-03-22T18:56:10Z Nighthawk 1 wikitext text/x-wiki == Version compatibility == R77 Base: Red Hat linux 5.0, 5.4 R77.10: Red Hat linux 5.0, 5.4 & 5.9 For specifics regarding SmartCenter / MultiDomain (Provider-1)... [http://www.cpwiki.net/index.php/installing_Security_Management_on_Red_Hat_Enterprise_Linux_5 installing_Security_Management_on_Red_Hat_Enterprise_Linux_5] [[category:linux]] 382 381 2014-03-22T18:56:00Z Nighthawk 1 wikitext text/x-wiki == Version compatibility == R77 Base: Red Hat linux 5.0, 5.4 R77.10: Red Hat linux 5.0, 5.4 & 5.9 For specifics regarding SmartCenter / MultiDomain (Provider-1)... [http://www.cpwiki.net/index.php/installing_Security_Management_on_Red_Hat_Enterprise_Linux_5 installing_Security_Management_on_Red_Hat_Enterprise_Linux_5] [[category:linux]] 381 380 2014-03-22T18:55:43Z Nighthawk 1 wikitext text/x-wiki == Version compatibility == R77 Base: Red Hat linux 5.0, 5.4 R77.10: Red Hat linux 5.0, 5.4 & 5.9 For specifics regarding SmartCenter / MultiDomain (Provider-1) [http://www.cpwiki.net/index.php/installing_Security_Management_on_Red_Hat_Enterprise_Linux_5 installing_Security_Management_on_Red_Hat_Enterprise_Linux_5] [[category:linux]] 380 2014-03-22T18:55:05Z Nighthawk 1 Created page with " == Version compatibility == R77 Base: Red Hat linux 5.0, 5.4 R77.10: Red Hat linux 5.0, 5.4 & 5.9 [http://www.cpwiki.net/index.php/installing_Security_Management_on_Red_..." wikitext text/x-wiki == Version compatibility == R77 Base: Red Hat linux 5.0, 5.4 R77.10: Red Hat linux 5.0, 5.4 & 5.9 [http://www.cpwiki.net/index.php/installing_Security_Management_on_Red_Hat_Enterprise_Linux_5 installing_Security_Management_on_Red_Hat_Enterprise_Linux_5] [[category:linux]] installing Security Management on Red Hat Enterprise Linux 5 0 115 591 379 2016-06-21T14:02:37Z Nighthawk 1 wikitext text/x-wiki This page gives some of the pre-requisite details / instructions if installing Check Point to a device running RedHat. It should also work for the open source version of RedHat... CentOS. Why install to one of these platforms??? because they are better than SPLAT or in some cases Gaia. SPLAT and Gaia are too stripped down and are missing basic utilities such as rsync. Gaia firewalls are decent with desirable functions built in like vrrp and clish. But a RedHat based SmartCenter or Provider-1 is hands down better than SPLAT or Gaia. Why do most Check Point customers run SPLAT / Gaia management devices? Usually it is just plain laziness. They want to grap and CD, shove it in a device, and follow the prompts to install and get it running. == Versions == This instructions are found in the Release Notes for the following versions... versions: Check Point R70, R71, and R75 == Install Instructions == '''Before you install Security Management on Red Hat Enterprise Linux 5:''' '''1. Install the sharutils-4.6.1-2 package''' a) Make sure that you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2 b) If the package is not already installed, install it by running: rpm –i sharutils-4.6.1-2.i386.rpm This package can be found on CD 3 of RHEL 5. '''2. Install the compat-libstdc++-33-3.2.3-61 package''' a) Make sure that you have the compat-libstdc++-33-3.2.3-61 package by running: rpm –qa | grep compat-libstdc++-33-3.2.3-61 b) If the package is not already installed, install it by running: rpm –i compat-libstdc++-33-3.2.3-61.i386.rpm This package can be found on CD 2 of RHEL 5. '''3. Disable SeLinux''' a) Make sure that SeLinux is disabled by running: getenforce b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file and rebooting the computer. ==links== [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98760&partition=Advanced&product=Security] 9c03dea046c2a31967956d6cd134fc6d3ba84723 379 378 2014-03-22T16:35:54Z Nighthawk 1 wikitext text/x-wiki This page gives some of the pre-requisite details / instructions if installing Check Point to a device running RedHat. It should also work for the open source version of RedHat... CentOS. Why install to one of these platforms??? because they are better than SPLAT or in some cases Gaia. SPLAT and Gaia are too stripped down and are missing basic utilities such as rsync. Gaia firewalls are decent with desirable functions built in like vrrp and clish. But a RedHat based SmartCenter or Provider-1 is hands down better than SPLAT or Gaia. Why do most Check Point customers run SPLAT / Gaia management devices? Usually it is just plain laziness. They want to grap and CD, shove it in a device, and follow the prompts to install and get it running. == Versions == This instructions are found in the Release Notes for the following versions... versions: Check Point R70, R71, and R75 == Install Instructions == '''Before you install Security Management on Red Hat Enterprise Linux 5:''' '''1. Install the sharutils-4.6.1-2 package''' a) Make sure that you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2 b) If the package is not already installed, install it by running: rpm –i sharutils-4.6.1-2.i386.rpm This package can be found on CD 3 of RHEL 5. '''2. Install the compat-libstdc++-33-3.2.3-61 package''' a) Make sure that you have the compat-libstdc++-33-3.2.3-61 package by running: rpm –qa | grep compat-libstdc++-33-3.2.3-61 b) If the package is not already installed, install it by running: rpm –i compat-libstdc++-33-3.2.3-61.i386.rpm This package can be found on CD 2 of RHEL 5. '''3. Disable SeLinux''' a) Make sure that SeLinux is disabled by running: getenforce b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file and rebooting the computer. 378 213 2014-03-22T16:34:06Z Nighthawk 1 wikitext text/x-wiki This page gives some of the pre-requisite details / instructions if installing Check Point to a device running RedHat. It should also work for the open source version of RedHat... CentOS. Why install to one of these platforms??? because they are better than SPLAT or in some cases Gaia. SPLAT and Gaia are too stripped down and are missing basic utilities such as rsync. Gaia firewalls are decent with desirable functions built in like vrrp and clish. But a RedHat based SmartCenter or Provider-1 is hands down better than SPLAT or Gaia. == Versions == This instructions are found in the Release Notes for the following versions... versions: Check Point R70, R71, and R75 == Install Instructions == '''Before you install Security Management on Red Hat Enterprise Linux 5:''' '''1. Install the sharutils-4.6.1-2 package''' a) Make sure that you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2 b) If the package is not already installed, install it by running: rpm –i sharutils-4.6.1-2.i386.rpm This package can be found on CD 3 of RHEL 5. '''2. Install the compat-libstdc++-33-3.2.3-61 package''' a) Make sure that you have the compat-libstdc++-33-3.2.3-61 package by running: rpm –qa | grep compat-libstdc++-33-3.2.3-61 b) If the package is not already installed, install it by running: rpm –i compat-libstdc++-33-3.2.3-61.i386.rpm This package can be found on CD 2 of RHEL 5. '''3. Disable SeLinux''' a) Make sure that SeLinux is disabled by running: getenforce b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file and rebooting the computer. 213 212 2013-09-03T21:39:17Z Nighthawk 1 wikitext text/x-wiki '''Before you install Security Management on Red Hat Enterprise Linux 5:''' '''1. Install the sharutils-4.6.1-2 package''' a) Make sure that you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2 b) If the package is not already installed, install it by running: rpm –i sharutils-4.6.1-2.i386.rpm This package can be found on CD 3 of RHEL 5. '''2. Install the compat-libstdc++-33-3.2.3-61 package''' a) Make sure that you have the compat-libstdc++-33-3.2.3-61 package by running: rpm –qa | grep compat-libstdc++-33-3.2.3-61 b) If the package is not already installed, install it by running: rpm –i compat-libstdc++-33-3.2.3-61.i386.rpm This package can be found on CD 2 of RHEL 5. '''3. Disable SeLinux''' a) Make sure that SeLinux is disabled by running: getenforce b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file and rebooting the computer. 212 2013-09-03T21:38:42Z Nighthawk 1 Created page with " '''Before you install Security Management on Red Hat Enterprise Linux 5:''' '''1. Install the sharutils-4.6.1-2 package''' a) Make sure that you have the sharutils-4.6.1-2 ..." wikitext text/x-wiki '''Before you install Security Management on Red Hat Enterprise Linux 5:''' '''1. Install the sharutils-4.6.1-2 package''' a) Make sure that you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2 b) If the package is not already installed, install it by running: rpm –i sharutils-4.6.1-2.i386.rpm This package can be found on CD 3 of RHEL 5. '''2. Install the compat-libstdc++-33-3.2.3-61 package''' a) Make sure that you have the compat-libstdc++-33-3.2.3-61 package by running: rpm –qa | grep compat-libstdc++-33-3.2.3-61 b) If the package is not already installed, install it by running: rpm –i compat-libstdc++-33-3.2.3-61.i386.rpm This package can be found on CD 2 of RHEL 5. '''3. Disable SeLinux''' a) Make sure that SeLinux is disabled by running: getenforce b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file and rebooting the computer. interface monitoring via snmp 0 255 843 842 2020-06-19T18:45:32Z Nighthawk 1 wikitext text/x-wiki notes... page in progress [Expert@chkpfw1:0]# '''netstat -in''' Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 103695407 104 163 0 21955304 0 0 0 BMRU eth1 1500 0 84889247 3 0 0 134888 0 0 0 BMRU eth2 1500 0 51557348 0 0 0 0 0 0 0 BMRU lo 16436 0 7173067 0 0 0 7173067 0 0 0 LRU RX-DRP [Expert@chkpfw1:0]# '''snmpget -v 2c -c NAGIOS 192.168.1.2 IF-MIB::ifInDiscards.2''' IF-MIB::ifInDiscards.2 = Counter32: 163 RX-ERR [Expert@chkpfw1:0]# '''snmpget -v 2c -c NAGIOS 192.168.1.2 IF-MIB::ifInErrors.2''' IF-MIB::ifInErrors.2 = Counter32: 104 [Expert@chkpfw1:0]# '''snmpwalk -v 2c -c NAGIOS 192.168.1.2 | grep -i if.*UcastPkts''' IF-MIB::ifInUcastPkts.1 = Counter32: 7173335 IF-MIB::ifInUcastPkts.2 = Counter32: 103699664 IF-MIB::ifInUcastPkts.3 = Counter32: 84893047 IF-MIB::ifInUcastPkts.4 = Counter32: 51559644 IF-MIB::ifInNUcastPkts.1 = Counter32: 0 IF-MIB::ifInNUcastPkts.2 = Counter32: 0 IF-MIB::ifInNUcastPkts.3 = Counter32: 0 IF-MIB::ifInNUcastPkts.4 = Counter32: 0 IF-MIB::ifOutUcastPkts.1 = Counter32: 7173335 IF-MIB::ifOutUcastPkts.2 = Counter32: 21956198 IF-MIB::ifOutUcastPkts.3 = Counter32: 134891 IF-MIB::ifOutUcastPkts.4 = Counter32: 0 IF-MIB::ifOutNUcastPkts.1 = Counter32: 0 IF-MIB::ifOutNUcastPkts.2 = Counter32: 0 IF-MIB::ifOutNUcastPkts.3 = Counter32: 0 IF-MIB::ifOutNUcastPkts.4 = Counter32: 0 HOST-RESOURCES-MIB::hrSWRunParameters.28716 = STRING: "-i if.*UcastPkts" IF-MIB::ifHCInUcastPkts.1 = Counter64: 7173335 IF-MIB::ifHCInUcastPkts.2 = Counter64: 103699664 IF-MIB::ifHCInUcastPkts.3 = Counter64: 84893047 IF-MIB::ifHCInUcastPkts.4 = Counter64: 51559644 IF-MIB::ifHCOutUcastPkts.1 = Counter64: 7173335 IF-MIB::ifHCOutUcastPkts.2 = Counter64: 21956198 IF-MIB::ifHCOutUcastPkts.3 = Counter64: 134891 IF-MIB::ifHCOutUcastPkts.4 = Counter64: 0 aa2ee0fdd099e9ff41195251b93478c7f2e02c9a 842 841 2020-06-19T18:25:34Z Nighthawk 1 wikitext text/x-wiki notes... page in progress [Expert@chkpfw1:0]# '''netstat -in''' Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 103695407 104 163 0 21955304 0 0 0 BMRU eth1 1500 0 84889247 3 0 0 134888 0 0 0 BMRU eth2 1500 0 51557348 0 0 0 0 0 0 0 BMRU lo 16436 0 7173067 0 0 0 7173067 0 0 0 LRU RX-DRP [Expert@chkpfw1:0]# '''snmpget -v 2c -c NAGIOS 192.168.1.2 IF-MIB::ifInDiscards.2''' IF-MIB::ifInDiscards.2 = Counter32: 163 RX-ERR [Expert@chkpfw1:0]# '''snmpget -v 2c -c NAGIOS 192.168.1.2 IF-MIB::ifInErrors.2''' IF-MIB::ifInErrors.2 = Counter32: 104 [Expert@chkpfw1:0]# '''snmpwalk -v 2c -c NAGIOS 192.168.1.2 | grep -i if.*UcastPkts''' IF-MIB::ifInUcastPkts.1 = Counter32: 7173335 IF-MIB::ifInUcastPkts.2 = Counter32: 103699664 IF-MIB::ifInUcastPkts.3 = Counter32: 84893047 IF-MIB::ifInUcastPkts.4 = Counter32: 51559644 IF-MIB::ifInNUcastPkts.1 = Counter32: 0 IF-MIB::ifInNUcastPkts.2 = Counter32: 0 IF-MIB::ifInNUcastPkts.3 = Counter32: 0 IF-MIB::ifInNUcastPkts.4 = Counter32: 0 IF-MIB::ifOutUcastPkts.1 = Counter32: 7173335 IF-MIB::ifOutUcastPkts.2 = Counter32: 21956198 IF-MIB::ifOutUcastPkts.3 = Counter32: 134891 IF-MIB::ifOutUcastPkts.4 = Counter32: 0 IF-MIB::ifOutNUcastPkts.1 = Counter32: 0 IF-MIB::ifOutNUcastPkts.2 = Counter32: 0 IF-MIB::ifOutNUcastPkts.3 = Counter32: 0 IF-MIB::ifOutNUcastPkts.4 = Counter32: 0 HOST-RESOURCES-MIB::hrSWRunParameters.28716 = STRING: "-i if.*UcastPkts" IF-MIB::ifHCInUcastPkts.1 = Counter64: 7173335 IF-MIB::ifHCInUcastPkts.2 = Counter64: 103699664 IF-MIB::ifHCInUcastPkts.3 = Counter64: 84893047 IF-MIB::ifHCInUcastPkts.4 = Counter64: 51559644 IF-MIB::ifHCOutUcastPkts.1 = Counter64: 7173335 IF-MIB::ifHCOutUcastPkts.2 = Counter64: 21956198 IF-MIB::ifHCOutUcastPkts.3 = Counter64: 134891 IF-MIB::ifHCOutUcastPkts.4 = Counter64: 0 9c3e5a2ce0248b8d233382fd15e468bd028eae5a 841 840 2020-06-19T18:22:34Z Nighthawk 1 wikitext text/x-wiki notes... page in progress [Expert@chkpfw1:0]# '''netstat -in''' Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 103695407 104 163 0 21955304 0 0 0 BMRU eth1 1500 0 84889247 3 0 0 134888 0 0 0 BMRU eth2 1500 0 51557348 0 0 0 0 0 0 0 BMRU lo 16436 0 7173067 0 0 0 7173067 0 0 0 LRU RX-DRP [Expert@chkpfw1:0]# '''snmpget -v 2c -c NAGIOS 192.168.175.2 IF-MIB::ifInDiscards.2''' IF-MIB::ifInDiscards.2 = Counter32: 163 RX-ERR [Expert@chkpfw1:0]# '''snmpget -v 2c -c NAGIOS 192.168.175.2 IF-MIB::ifInErrors.2''' IF-MIB::ifInErrors.2 = Counter32: 104 [Expert@chkpfw1:0]# '''snmpwalk -v 2c -c NAGIOS 192.168.175.2 | grep -i if.*UcastPkts''' IF-MIB::ifInUcastPkts.1 = Counter32: 7173335 IF-MIB::ifInUcastPkts.2 = Counter32: 103699664 IF-MIB::ifInUcastPkts.3 = Counter32: 84893047 IF-MIB::ifInUcastPkts.4 = Counter32: 51559644 IF-MIB::ifInNUcastPkts.1 = Counter32: 0 IF-MIB::ifInNUcastPkts.2 = Counter32: 0 IF-MIB::ifInNUcastPkts.3 = Counter32: 0 IF-MIB::ifInNUcastPkts.4 = Counter32: 0 IF-MIB::ifOutUcastPkts.1 = Counter32: 7173335 IF-MIB::ifOutUcastPkts.2 = Counter32: 21956198 IF-MIB::ifOutUcastPkts.3 = Counter32: 134891 IF-MIB::ifOutUcastPkts.4 = Counter32: 0 IF-MIB::ifOutNUcastPkts.1 = Counter32: 0 IF-MIB::ifOutNUcastPkts.2 = Counter32: 0 IF-MIB::ifOutNUcastPkts.3 = Counter32: 0 IF-MIB::ifOutNUcastPkts.4 = Counter32: 0 HOST-RESOURCES-MIB::hrSWRunParameters.28716 = STRING: "-i if.*UcastPkts" IF-MIB::ifHCInUcastPkts.1 = Counter64: 7173335 IF-MIB::ifHCInUcastPkts.2 = Counter64: 103699664 IF-MIB::ifHCInUcastPkts.3 = Counter64: 84893047 IF-MIB::ifHCInUcastPkts.4 = Counter64: 51559644 IF-MIB::ifHCOutUcastPkts.1 = Counter64: 7173335 IF-MIB::ifHCOutUcastPkts.2 = Counter64: 21956198 IF-MIB::ifHCOutUcastPkts.3 = Counter64: 134891 IF-MIB::ifHCOutUcastPkts.4 = Counter64: 0 e99baf8848a10d865044028c471ce48958bcdfb1 840 2020-06-19T18:20:34Z Nighthawk 1 Created page with " [Expert@chkpfw1:0]# '''netstat -in''' Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 103695407..." wikitext text/x-wiki [Expert@chkpfw1:0]# '''netstat -in''' Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 103695407 104 163 0 21955304 0 0 0 BMRU eth1 1500 0 84889247 3 0 0 134888 0 0 0 BMRU eth2 1500 0 51557348 0 0 0 0 0 0 0 BMRU lo 16436 0 7173067 0 0 0 7173067 0 0 0 LRU RX-DRP [Expert@chkpfw1:0]# '''snmpget -v 2c -c NAGIOS 192.168.175.2 IF-MIB::ifInDiscards.2''' IF-MIB::ifInDiscards.2 = Counter32: 163 RX-ERR [Expert@chkpfw1:0]# '''snmpget -v 2c -c NAGIOS 192.168.175.2 IF-MIB::ifInErrors.2''' IF-MIB::ifInErrors.2 = Counter32: 104 [Expert@chkpfw1:0]# '''snmpwalk -v 2c -c NAGIOS 192.168.175.2 | grep -i if.*UcastPkts''' IF-MIB::ifInUcastPkts.1 = Counter32: 7173335 IF-MIB::ifInUcastPkts.2 = Counter32: 103699664 IF-MIB::ifInUcastPkts.3 = Counter32: 84893047 IF-MIB::ifInUcastPkts.4 = Counter32: 51559644 IF-MIB::ifInNUcastPkts.1 = Counter32: 0 IF-MIB::ifInNUcastPkts.2 = Counter32: 0 IF-MIB::ifInNUcastPkts.3 = Counter32: 0 IF-MIB::ifInNUcastPkts.4 = Counter32: 0 IF-MIB::ifOutUcastPkts.1 = Counter32: 7173335 IF-MIB::ifOutUcastPkts.2 = Counter32: 21956198 IF-MIB::ifOutUcastPkts.3 = Counter32: 134891 IF-MIB::ifOutUcastPkts.4 = Counter32: 0 IF-MIB::ifOutNUcastPkts.1 = Counter32: 0 IF-MIB::ifOutNUcastPkts.2 = Counter32: 0 IF-MIB::ifOutNUcastPkts.3 = Counter32: 0 IF-MIB::ifOutNUcastPkts.4 = Counter32: 0 HOST-RESOURCES-MIB::hrSWRunParameters.28716 = STRING: "-i if.*UcastPkts" IF-MIB::ifHCInUcastPkts.1 = Counter64: 7173335 IF-MIB::ifHCInUcastPkts.2 = Counter64: 103699664 IF-MIB::ifHCInUcastPkts.3 = Counter64: 84893047 IF-MIB::ifHCInUcastPkts.4 = Counter64: 51559644 IF-MIB::ifHCOutUcastPkts.1 = Counter64: 7173335 IF-MIB::ifHCOutUcastPkts.2 = Counter64: 21956198 IF-MIB::ifHCOutUcastPkts.3 = Counter64: 134891 IF-MIB::ifHCOutUcastPkts.4 = Counter64: 0 4a504429ccbbe15f4f031a6c74f33babd0167e68 ipso - set backspace key to erase 0 87 140 2013-05-24T15:34:56Z Nighthawk 1 Created page with "set backspase key to erase (useful on older ipso versions like 4.1): # stty erase ^? (type in stty erase then ctrl-v then hit backspace and enter) [[category:check point..." wikitext text/x-wiki set backspase key to erase (useful on older ipso versions like 4.1): # stty erase ^? (type in stty erase then ctrl-v then hit backspace and enter) [[category:check point]] [[category:nokia]] ipso password history checking 0 152 421 2014-04-19T08:01:47Z Nighthawk 1 Created page with " to disable > set password-controls history-checking off to enable > set password-controls history-checking on [[category:nokia]] [[category:ipso]] [[category:clish]]" wikitext text/x-wiki to disable > set password-controls history-checking off to enable > set password-controls history-checking on [[category:nokia]] [[category:ipso]] [[category:clish]] isp redundancy 0 215 669 2017-07-24T03:52:32Z Nighthawk 1 Created page with " [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk23630 Advanced configuration options for ISP Redundancy]" wikitext text/x-wiki [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk23630 Advanced configuration options for ISP Redundancy] 6fa89fa63dd1e4585974a35231d16177f55c0c65 jumpstart commands 0 126 287 2013-10-27T05:05:10Z Nighthawk 1 Created page with "remove temp jumpstart default route set static-route default nexthop gateway address <ip_address> off check anti-spoofing (from cma environment, on P-1) cpmiquerybin object..." wikitext text/x-wiki remove temp jumpstart default route set static-route default nexthop gateway address <ip_address> off check anti-spoofing (from cma environment, on P-1) cpmiquerybin object "" network_objects "name='<cluster_name>'" |grep anti_spoof cpmiquerybin object "" network_objects "name='<firewall_name>'" |grep anti_spoof [[category:scratch]] local firewall objects database 0 144 551 510 2015-01-21T17:09:00Z Nighthawk 1 /* commands to run locally on the firewall */ wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. The problem is all that file presents is object names and you might what the associated IP address... but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C == commands to run locally on the firewall == # '''grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr''' objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with the object name of interest a little cleaner command for bash on SPLAT or Gaia # '''NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ipso # '''set NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ==get smartcenter or CMA info== i=`grep -A 1 "Policy" $FWDIR/conf/masters | grep -v Policy`; grep -E ": \($i|ipaddr" $FWDIR/database/objects.C | grep -iA1 "$i"|tr -d "()":ipaddr | awk '{print $1}' == get logger and IP == this one works in bash on linux based firewalls or from bash in ipso [Expert@myfirewall]# '''i=`awk '/\[Log\]/{p=1;next}p &&/\[Alert\]/{p=0};p' $FWDIR/conf/masters`; grep -E ": \($i|ipaddr" $FWDIR/database/objects.C | grep -iA1 "$i"|tr -d "()":ipaddr | awk '{print $1}'''' my_clm 192.168.1.10 --- note: bash is not the default shell in ipso(csh is) --- swithing to bash in ipso mychkpfw[admin]# '''bash''' [root@mychkpfw ~]# <<< new bash prompt [[category:misc]] 510 509 2014-06-24T14:51:32Z Nighthawk 1 /* get logger and IP */ wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. The problem is all that file presents is object names and you might what the associated IP address... but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C == commands to run locally on the firewall == # '''grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr''' objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with the object name of interest a little cleaner command for bash on SPLAT or Gaia # '''NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ipso # '''set NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' == get logger and IP == this one works in bash on linux based firewalls or from bash in ipso [Expert@myfirewall]# '''i=`awk '/\[Log\]/{p=1;next}p &&/\[Alert\]/{p=0};p' $FWDIR/conf/masters`; grep -E ": \($i|ipaddr" $FWDIR/database/objects.C | grep -iA1 "$i"|tr -d "()":ipaddr | awk '{print $1}'''' my_clm 192.168.1.10 --- note: bash is not the default shell in ipso(csh is) --- swithing to bash in ipso mychkpfw[admin]# '''bash''' [root@mychkpfw ~]# <<< new bash prompt [[category:misc]] 509 508 2014-06-24T14:51:19Z Nighthawk 1 /* get logger and IP */ wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. The problem is all that file presents is object names and you might what the associated IP address... but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C == commands to run locally on the firewall == # '''grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr''' objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with the object name of interest a little cleaner command for bash on SPLAT or Gaia # '''NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ipso # '''set NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' == get logger and IP == this one works in bash on linux based firewalls or from bash in ipso [Expert@myfirewall]# '''i=`awk '/\[Log\]/{p=1;next}p &&/\[Alert\]/{p=0};p' $FWDIR/conf/masters`; grep -E ": \($i|ipaddr" $FWDIR/database/objects.C | grep -iA1 "$i"|tr -d "()":ipaddr | awk '{print $1}'''' my_clm 192.168.1.10 --- note: bash is not the devault shell in ipso(csh is) --- swithing to bash in ipso mychkpfw[admin]# '''bash''' [root@mychkpfw ~]# <<< new bash prompt [[category:misc]] 508 507 2014-06-24T14:51:09Z Nighthawk 1 /* get logger and IP */ wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. The problem is all that file presents is object names and you might what the associated IP address... but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C == commands to run locally on the firewall == # '''grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr''' objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with the object name of interest a little cleaner command for bash on SPLAT or Gaia # '''NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ipso # '''set NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' == get logger and IP == this one works in bash on linux based firewalls or from bash in ipso [Expert@myfirewall]# '''i=`awk '/\[Log\]/{p=1;next}p &&/\[Alert\]/{p=0};p' $FWDIR/conf/masters`; grep -E ": \($i|ipaddr" $FWDIR/database/objects.C | grep -iA1 "$i"|tr -d "()":ipaddr | awk '{print $1}'''' my_clm 192.168.1.10 ---note: bash is not the devault shell in ipso(csh is) --- swithing to bash in ipso mychkpfw[admin]# '''bash''' [root@mychkpfw ~]# <<< new bash prompt [[category:misc]] 507 489 2014-06-24T14:50:53Z Nighthawk 1 /* get logger and IP */ wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. The problem is all that file presents is object names and you might what the associated IP address... but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C == commands to run locally on the firewall == # '''grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr''' objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with the object name of interest a little cleaner command for bash on SPLAT or Gaia # '''NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ipso # '''set NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' == get logger and IP == this one works in bash on linux based firewalls or from bash in ipso [Expert@myfirewall]# '''i=`awk '/\[Log\]/{p=1;next}p &&/\[Alert\]/{p=0};p' $FWDIR/conf/masters`; grep -E ": \($i|ipaddr" $FWDIR/database/objects.C | grep -iA1 "$i"|tr -d "()":ipaddr | awk '{print $1}'''' my_clm 192.168.1.10 ---note: bash is not the devault shell in ipso(csh is) --- swithing to bash in ipso mychkpfw[admin]# '''bash''' [root@mychkpfw ~]# <<< new bash prompt [[category:misc]] 489 391 2014-05-29T15:27:22Z Nighthawk 1 wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. The problem is all that file presents is object names and you might what the associated IP address... but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C == commands to run locally on the firewall == # '''grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr''' objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with the object name of interest a little cleaner command for bash on SPLAT or Gaia # '''NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ipso # '''set NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' == get logger and IP == this one works in bash on linux based firewalls (not ipso) [Expert@myfirewall]# '''i=`awk '/\[Log\]/{p=1;next}p &&/\[Alert\]/{p=0};p' $FWDIR/conf/masters`; grep -E ": \($i|ipaddr" $FWDIR/database/objects.C | grep -iA1 "$i"|tr -d "()":ipaddr | awk '{print $1}'''' my_clm 192.168.1.10 [[category:misc]] 391 390 2014-03-27T17:06:48Z Nighthawk 1 wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. The problem is all that file presents is object names and you might what the associated IP address... but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C == commands to run locally on the firewall == # '''grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr''' objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with the object name of interest a little cleaner command for bash on SPLAT or Gaia # '''NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ipso # '''set NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' [[category:misc]] 390 389 2014-03-27T17:05:48Z Nighthawk 1 wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. You might what the associated IP address but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C == commands to run locally on the firewall == # '''grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr''' objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with the object name of interest a little cleaner command for bash on SPLAT or Gaia # '''NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ipso # '''set NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' [[category:misc]] 389 388 2014-03-27T17:04:11Z Nighthawk 1 wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. You might what the associated IP address but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C # '''grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr''' objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with the object name of interest a little cleaner command for bash on SPLAT or Gaia # '''NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ipso # '''set NAME="''object_name_goes_here''"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' [[category:misc]] 388 387 2014-03-27T17:03:01Z Nighthawk 1 wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. You might what the associated IP address but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C # '''grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr''' objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with the object name of interest a little cleaner command for bash on SPLAT or Gaia # '''NAME="mysmartcenter"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ipso # '''set NAME="mysmartcenter"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' [[category:misc]] 387 386 2014-03-27T17:00:09Z Nighthawk 1 wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. You might what the associated IP address but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C # '''grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr''' objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with you object name of interest a little cleaner command for bash on SPLAT or Gaia # '''NAME="mysmartcenter"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ipso # '''set NAME="mysmartcenter"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' [[category:misc]] 386 385 2014-03-27T16:59:50Z Nighthawk 1 wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. You might what the associated IP address but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C # grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with you object name of interest a little cleaner command for bash on SPLAT or Gaia # '''NAME="mysmartcenter"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' ipso # '''set NAME="mysmartcenter"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr''' [[category:misc]] 385 2014-03-27T16:59:29Z Nighthawk 1 Created page with "Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/con..." wikitext text/x-wiki Firewall Versions: R65 to R75 (tested) Object information such as IPs can be gathered locally on the firewall. This is useful for situations where you might cat $FWDIR/conf/masters to check the manager and logger configurations. You might what the associated IP address but not want to take the time to look it up on the GUI. The local firewall object information can be found in $FWDIR/database/objects.C # grep -A 200 -r ": (mysmartcenter" * $FWDIR/database/objects.C | grep -i ipaddr objects.C- :ipaddr (192.168.1.100) where ''mysmartcenter'' should be replaced with you object name of interest a little cleaner command for bash on SPLAT or Gaia # NAME="mysmartcenter"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr ipso # set NAME="mysmartcenter"; grep -A 200 -r ": ($NAME" * $FWDIR/database/objects.C | grep -i ipaddr [[category:misc]] local firewall rules.C file 0 178 511 2014-07-03T17:54:57Z Nighthawk 1 Created page with " == file location == $FWDIR/database/rules.C" wikitext text/x-wiki == file location == $FWDIR/database/rules.C log connection verification 0 258 874 853 2022-09-15T13:48:12Z Nighthawk 1 wikitext text/x-wiki Expert@chkpfw2:0]# '''cpstat fw -f log_connection''' Overall Status: 0 Overall Status Description: Security Gateway is reporting logs as defined Local Logging Mode Description: Logs are written to log server Local Logging Mode Status: 0 Log Servers Connections -------------------------------------------- |IP |Status|Status Description | -------------------------------------------- |192.168.144.80| 0|Log-Server Connected| -------------------------------------------- netstat should show established connection to logging management server [Expert@chkpfw2:0]# '''netstat -an | grep -i "257.*ESTABLISHED"''' tcp 0 0 192.168.1.3:49571 192.168.1.80:257 ESTABLISHED fwd restart to re-establish log connections stop # cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd" start # cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd" [[category:logging]] 49e95afbf6591748b9c7d91ce0ebdf6f529bf8a4 853 852 2021-04-02T16:11:07Z Nighthawk 1 wikitext text/x-wiki Expert@chkpfw2:0]# '''cpstat fw -f log_connection''' Overall Status: 0 Overall Status Description: Security Gateway is reporting logs as defined Local Logging Mode Description: Logs are written to log server Local Logging Mode Status: 0 Log Servers Connections -------------------------------------------- |IP |Status|Status Description | -------------------------------------------- |192.168.144.80| 0|Log-Server Connected| -------------------------------------------- netstat should show established connection to logging management server [Expert@chkpfw2:0]# '''netstat -an | grep -i "257.*ESTABLISHED"''' tcp 0 0 192.168.1.3:49571 192.168.1.80:257 ESTABLISHED [[category:logging]] d210a2ae71785ce8eaa79e7ef4f102104d5b928b 852 851 2021-04-02T16:10:55Z Nighthawk 1 wikitext text/x-wiki Expert@chkpfw2:0]# '''cpstat fw -f log_connection''' Overall Status: 0 Overall Status Description: Security Gateway is reporting logs as defined Local Logging Mode Description: Logs are written to log server Local Logging Mode Status: 0 Log Servers Connections -------------------------------------------- |IP |Status|Status Description | -------------------------------------------- |192.168.144.80| 0|Log-Server Connected| -------------------------------------------- netstat should show established connection to logging management server [Expert@chkpfw2:0]# '''netstat -an | grep -i "257.*ESTABLISHED"''' tcp 0 0 192.168.1.3:49571 192.168.1.80:257 ESTABLISHED [[category:logging]] e9b43ae3bb65651c33ebbd8bfce03642299bcbfc 851 2021-04-02T16:09:00Z Nighthawk 1 Created page with " Expert@chkpfw2:0]# '''cpstat fw -f log_connection''' Overall Status: 0 Overall Status Description: Security Gateway is reporting logs as defined ..." wikitext text/x-wiki Expert@chkpfw2:0]# '''cpstat fw -f log_connection''' Overall Status: 0 Overall Status Description: Security Gateway is reporting logs as defined Local Logging Mode Description: Logs are written to log server Local Logging Mode Status: 0 Log Servers Connections -------------------------------------------- |IP |Status|Status Description | -------------------------------------------- |192.168.144.80| 0|Log-Server Connected| -------------------------------------------- [[category:logging]] c79e51eb99aeced41b4e8793156a6b301d698b30 maestro change Chassis/SGM up/down state 0 260 858 857 2021-04-11T01:00:42Z Nighthawk 1 wikitext text/x-wiki [Expert@MyChassis-ch01-01:0]# '''g_clusterXL_admin -b 1_1 up''' You are about to perform blade_admin up on blades: 1_1 This action will change members state Are you sure? (Y - yes, any other key - no) y Blade_admin up requires auditing Enter your full name: bob frapples Enter reason for blade_admin up [Maintenance]: WARNING: Blade_admin up on blades: 1_1, User: bob frapples, Reason: Maintenance Members outputs: -*- 1 blade: 1_1 -*- Setting member to normal operation ... Member current state is ACTIVE [[category:maestro]] b846dd880277b1e5d592753722d2e20c9be9ae94 857 856 2021-04-11T01:00:01Z Nighthawk 1 wikitext text/x-wiki [Expert@MyChassis-ch01-01:0]# '''g_clusterXL_admin -b 1_1 up''' You are about to perform blade_admin up on blades: 1_1 This action will change members state Are you sure? (Y - yes, any other key - no) y Blade_admin up requires auditing Enter your full name: bob frapples Enter reason for blade_admin up [Maintenance]: WARNING: Blade_admin up on blades: 1_1, User: bob frapples, Reason: Maintenance Members outputs: -*- 1 blade: 1_1 -*- Setting member to normal operation ... Member current state is ACTIVE [[category:maestro]] 7c8efbb8a5d0ee17391d7d75ed5617bd384dad90 856 2021-04-11T00:59:02Z Nighthawk 1 Created page with " [Expert@MyChassis-ch01-01:0]# '''g_clusterXL_admin -b 1_1 up''' You are about to perform blade_admin up on blades: 1_1 This action will change members state Are you ..." wikitext text/x-wiki [Expert@MyChassis-ch01-01:0]# '''g_clusterXL_admin -b 1_1 up''' You are about to perform blade_admin up on blades: 1_1 This action will change members state Are you sure? (Y - yes, any other key - no) y Blade_admin up requires auditing Enter your full name: bob frapples Enter reason for blade_admin up [Maintenance]: WARNING: Blade_admin up on blades: 1_1, User: bob frapples, Reason: Maintenance Members outputs: -*- 1 blade: 1_1 -*- Setting member to normal operation ... Member current state is ACTIVE [[category:maestro]] afd6b8d8643452ee6b39c6b1b15ea193a42d8698 maestro reference 0 262 909 884 2024-05-13T16:39:23Z Nighthawk 1 wikitext text/x-wiki ==security groups== Single Management Object (SMO) handles all management tasks, such as Security Gateway configuration, policy installation, remote connections, and logging. The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO. identify the SMO and tasks # asg stat -i tasks ===policy installation=== Management ServerClosed installs the policy on the SMO Master and then it is copied to the other UP members. Use [[asg policy - command|asg policy]] to verify or unload a policy. ===Synchronizing Policy and Configuration Between Security Group Members=== synchronize the policies manually to a SG member asg_blade_config pull_config ==Managing Security Groups== ===Connecting to a Specific Security Group Member === # member <Member ID> or # m <Member ID> connecting to member in specific SG # m <Security Group ID> <Member ID> ==HA== clusterXL_admin up ==orchestrator== get port transiever typoe > show maestro port x optic info e6056039e719b39bffab078b4649441f77f0c99a 884 883 2023-10-21T13:56:38Z Nighthawk 1 wikitext text/x-wiki ==security groups== Single Management Object (SMO) handles all management tasks, such as Security Gateway configuration, policy installation, remote connections, and logging. The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO. identify the SMO and tasks # asg stat -i tasks ===policy installation=== Management ServerClosed installs the policy on the SMO Master and then it is copied to the other UP members. Use [[asg policy - command|asg policy]] to verify or unload a policy. ===Synchronizing Policy and Configuration Between Security Group Members=== synchronize the policies manually to a SG member asg_blade_config pull_config ==Managing Security Groups== ===Connecting to a Specific Security Group Member === # member <Member ID> or # m <Member ID> connecting to member in specific SG # m <Security Group ID> <Member ID> ==HA== clusterXL_admin up 28213f3f4307579db48c39957eb890406f5265a1 883 882 2023-10-20T21:57:25Z Nighthawk 1 /* policy installation */ wikitext text/x-wiki ==security groups== Single Management Object (SMO) handles all management tasks, such as Security Gateway configuration, policy installation, remote connections, and logging. The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO. identify the SMO and tasks # asg stat -i tasks ===policy installation=== Management ServerClosed installs the policy on the SMO Master and then it is copied to the other UP members. Use [[asg policy - command|asg policy]] to verify or unload a policy. ===Synchronizing Policy and Configuration Between Security Group Members=== synchronize the policies manually to a SG member asg_blade_config pull_config ==HA== clusterXL_admin up 0a25543c2aa2eafa1480b317f6fdcac6875814cc 882 881 2023-10-20T21:42:30Z Nighthawk 1 /* policy installation */ wikitext text/x-wiki ==security groups== Single Management Object (SMO) handles all management tasks, such as Security Gateway configuration, policy installation, remote connections, and logging. The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO. identify the SMO and tasks # asg stat -i tasks ===policy installation=== Management ServerClosed installs the policy on the SMO Master and then it is copied to the other members. Use [[asg policy - command|asg policy]] to verify or unload a policy. 3562fa65f69ea8f353db19afb877dcd08499f8ba 881 876 2023-10-20T21:42:00Z Nighthawk 1 /* policy installation */ wikitext text/x-wiki ==security groups== Single Management Object (SMO) handles all management tasks, such as Security Gateway configuration, policy installation, remote connections, and logging. The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO. identify the SMO and tasks # asg stat -i tasks ===policy installation=== Management ServerClosed installs the policy on the SMO Master and then it is copied to the other members. Use [[asg policy - manpage|asg policy]] to verify or unload a policy. 25f0df98452d48dd5c6bf4ec880b6cfc1fe265ca 876 2023-10-20T21:28:26Z Nighthawk 1 Created page with "==security groups== Single Management Object (SMO) handles all management tasks, such as Security Gateway configuration, policy installation, remote connections, and logging. ..." wikitext text/x-wiki ==security groups== Single Management Object (SMO) handles all management tasks, such as Security Gateway configuration, policy installation, remote connections, and logging. The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO. identify the SMO and tasks # asg stat -i tasks ===policy installation=== Management ServerClosed installs the policy on the SMO Master and then it is copied to the other members. 7cf06d9cbc98321094ac8112dfe82c9b68d82d46 maestro setup 0 259 855 854 2021-04-10T02:18:14Z Nighthawk 1 wikitext text/x-wiki single site and single MHO version r80.20 mho-140 connected downlink ports connect to MHO via mgmt port 0 on the back on default ip of 192.168.1.1 ssh to the orchestrator amount to 1 as the default is 2, at clish run set maestro configuration orchestrator-amount 1 save config if this step is skipped you will receive error message: "Fail to load security groups" click on "orchestrator" on the left should see appliances under unassigned gateways .... gclish >set smo image auto-clone state on misc commands asg_policy unload 037d5f0a0b4dfeb7413f5b4e4ab4bbab6e68c58a 854 2021-04-08T18:33:29Z Nighthawk 1 Created page with "single site and single MHO version r80.20 mho-140 connected downlink ports connect to MHO via mgmt port 0 on the back on default ip of 192.168.1.1 ssh to the orchestrator..." wikitext text/x-wiki single site and single MHO version r80.20 mho-140 connected downlink ports connect to MHO via mgmt port 0 on the back on default ip of 192.168.1.1 ssh to the orchestrator amount to 1 as the default is 2, at clish run set maestro configuration orchestrator-amount 1 save config if this step is skipped you will receive error message: "Fail to load security groups" click on "orchestrator" on the left should see appliances under unassigned gateways a7aa933d3ed77c680cfea1a7df69ea5a16244d3a manager to firewall services 0 224 705 2018-01-19T20:13:33Z Nighthawk 1 Created page with "manager / mgmt / MDM / CMA / smartcenter to firewall fw1 - tcp 256 fw1_lea - tcp 18184 fw1_sam - tcp 18183 fw1_ica_push - tcp 18211 cpd cpd_amon fw1_c..." wikitext text/x-wiki manager / mgmt / MDM / CMA / smartcenter to firewall fw1 - tcp 256 fw1_lea - tcp 18184 fw1_sam - tcp 18183 fw1_ica_push - tcp 18211 cpd cpd_amon fw1_cprid cpmi 6e7b075b45d3a049a542156ecb2d4acbad560e41 manual upgrade notes 0 223 703 2017-11-19T06:42:36Z Nighthawk 1 Created page with "77.20 to 77.30 installer verions check... ..." wikitext text/x-wiki 77.20 to 77.30 installer verions check... cpvinfo $DADIR/bin/DAService | grep Build upgrade installer rpm -Uhv --force CPda-00-00.i386-1278.rpm check base fw ver installer import local Check_Point_R77.30_T204_Install_and_Upgrade.tgz installer install Check_Point_R77.30_T204_Install_and_Upgrade.tgz rebooted by installer 77.30 to hotfix to post build script touch /etc/.wizard_accepted cpconfig rpm -ihv --force CPppak-R77-00.i386.rpm reboot cpconfig to enable securexl (not needed) cpconfig to configure corexl instances configure $FWDIR/boot/modules/fwkern.conf (13800 example) fwx_nat_dynamic_port_allocation=1 fwx_old_icmp_nat=1 fw_drop_icmp_errors_over_tcp=1 fwkern_optimize_drops_support=1 fwha_monitor_if_link_state=0 clish> set core-dump enable reboot installer import local Check_Point_R77_30_JUMBO_HF_1_Bundle_T216_FULL.tgz installer install Check_Point_R77_30_JUMBO_HF_1_Bundle_T216_FULL.tgz reboot (installer) # mkdir HF_INSTALL # cd HF_INSTALL # tar xvfz ../SecurePlatform_HOTFIX_R7730_T216_JHF_879.tgz #./SecurePlatform_HOTFIX_R7730_T216_JHF_879_990879001_1 reboot baf6355bcf7d30e84c7fb6854a29df11a8e1ae73 mds backup 0 114 211 210 2013-08-29T05:32:06Z Nighthawk 1 wikitext text/x-wiki backup and don't ask me any dumb questions. # mds_backup -l -b -d /var/backup/ == Exclude file== $MDSDIR/conf/mds_exclude.dat keywords:mdsbackup mds backup 210 209 2013-08-28T13:34:40Z Nighthawk 1 wikitext text/x-wiki ... == Exclude file== $MDSDIR/conf/mds_exclude.dat 209 2013-08-28T13:31:22Z Nighthawk 1 Created page with "..." wikitext text/x-wiki ... mgmt cli examples 0 193 585 2016-06-07T18:31:31Z Nighthawk 1 Created page with "dump all rules mgmt_cli show-access-rulebase name Network use-object-dictionary false -u jsmith -p abc123" wikitext text/x-wiki dump all rules mgmt_cli show-access-rulebase name Network use-object-dictionary false -u jsmith -p abc123 13832a1316ca04116ac3484ccca055175be69549 mgmt cli on ubuntu 0 248 829 2019-05-14T16:10:45Z Nighthawk 1 Created page with "[https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/mgmt-cli-on-Ubuntu/td-p/28706 mgmt_cli on ubuntu] [[category:api]]" wikitext text/x-wiki [https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/mgmt-cli-on-Ubuntu/td-p/28706 mgmt_cli on ubuntu] [[category:api]] 9c607a26e39719db84048e6f7c7a2f98a2409268 nagios 0 176 495 494 2014-06-08T21:03:08Z Nighthawk 1 wikitext text/x-wiki [http://patrick.proy.free.fr/nagios/index_commands.html] [[category:monitoring]] 494 2014-06-08T21:02:51Z Nighthawk 1 Created page with "[http://patrick.proy.free.fr/nagios/index_commands.html]" wikitext text/x-wiki [http://patrick.proy.free.fr/nagios/index_commands.html] nokia - Enabling/Disabling SSH Service 0 89 143 2013-05-24T15:36:36Z Nighthawk 1 Created page with "== Enabling/Disabling SSH Service == enable ssh set ssh server enable <0 | 1> check show ssh server enable [[category:check point]] [[category:nokia]]" wikitext text/x-wiki == Enabling/Disabling SSH Service == enable ssh set ssh server enable <0 | 1> check show ssh server enable [[category:check point]] [[category:nokia]] nokia - enable write access to /images/current directory 0 78 120 119 2013-05-24T15:07:47Z Nighthawk 1 wikitext text/x-wiki mount -u / [[category:check point]] [[category:nokia]] 119 2013-05-24T15:07:16Z Nighthawk 1 Created page with " mount -u / [[category:nokia]]" wikitext text/x-wiki mount -u / [[category:nokia]] nokia - get amount of physical memory / RAM 0 84 132 2013-05-24T15:28:28Z Nighthawk 1 Created page with "determine amount of physical RAM: # dmesg|grep "real memory" [[category:check point]] [[category:nokia]]" wikitext text/x-wiki determine amount of physical RAM: # dmesg|grep "real memory" [[category:check point]] [[category:nokia]] nokia - get model / appliance number 0 82 502 476 2014-06-12T15:07:42Z Nighthawk 1 wikitext text/x-wiki works on all ipso versions this is slow but it works... # ipsctl -a | grep eeprom | grep "hw:eeprom:product_id =" | awk -F "=" '{print $2}' | sed 's/^[ \t]*//' or for ipso 6.x # clish -c '''"show asset hardware"''' [[category:check point]] [[category:nokia]] 476 475 2014-05-21T15:08:34Z Nighthawk 1 wikitext text/x-wiki works on all ipso versions # '''ipsctl -a |grep eeprom | grep product_id''' or for ipso 6.x # clish -c '''"show asset hardware"''' [[category:check point]] [[category:nokia]] 475 474 2014-05-21T15:07:33Z Nighthawk 1 wikitext text/x-wiki works on all ipso versions # ipsctl -a |grep eeprom | grep product_id or for ipso 6.x # show asset hardware [[category:check point]] [[category:nokia]] 474 130 2014-05-21T15:06:56Z Nighthawk 1 wikitext text/x-wiki works on all ipso versions # ???? or for ipso 6.x # show asset hardware [[category:check point]] [[category:nokia]] 130 2013-05-24T15:25:37Z Nighthawk 1 Created page with "works on all ipso versions # echo show vrrp int | iclid | grep -v priority or for ipso 6.x # show asset hardware [[category:check point]] [[category:nokia]]" wikitext text/x-wiki works on all ipso versions # echo show vrrp int | iclid | grep -v priority or for ipso 6.x # show asset hardware [[category:check point]] [[category:nokia]] nokia - get route to destination 0 85 137 136 2013-05-24T15:32:20Z Nighthawk 1 wikitext text/x-wiki route get to specific destination: run from iclid iclid> '''sh route dest''' or from shell... example: # '''echo show route dest 192.168.1.1 | iclid''' Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP, O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA), A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed S 192.168/16 via 10.10.1.254 eth1c0, cost 0, age 8939695 [[category:check point]] [[category:nokia]] 136 135 2013-05-24T15:32:10Z Nighthawk 1 wikitext text/x-wiki route get to specific destination: run from iclid iclid> sh route dest or from shell... example: # '''echo show route dest 192.168.1.1 | iclid''' Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP, O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA), A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed S 192.168/16 via 10.10.1.254 eth1c0, cost 0, age 8939695 [[category:check point]] [[category:nokia]] 135 134 2013-05-24T15:32:04Z Nighthawk 1 wikitext text/x-wiki route get to specific destination: run from iclid iclid> sh route dest or from shell... example: # '''echo show route dest 192.168.1.1 | iclid''' Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP, O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA), A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed S 192.168/16 via 10.10.1.254 eth1c0, cost 0, age 8939695 [[category:check point]] [[category:nokia]] 134 133 2013-05-24T15:31:53Z Nighthawk 1 wikitext text/x-wiki route get to specific destination: run from iclid iclid> sh route dest or from shell... example: # '''echo show route dest 192.168.1.1 | iclid''' Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP, O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA), A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed S 192.168/16 via 10.10.1.254 eth1c0, cost 0, age 8939695 [[category:check point]] [[category:nokia]] 133 2013-05-24T15:31:36Z Nighthawk 1 Created page with " route get to specific destination: run from iclid iclid> sh route dest or from shell... example: # '''echo show route dest 192.168.1.1 | iclid''' Codes: C - connect..." wikitext text/x-wiki route get to specific destination: run from iclid iclid> sh route dest or from shell... example: # '''echo show route dest 192.168.1.1 | iclid''' Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP, O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA), A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed S 192.168/16 via 10.10.1.254 eth1c0, cost 0, age 8939695 [[category:check point]] [[category:nokia]] nokia - get serial number 0 83 131 2013-05-24T15:27:49Z Nighthawk 1 Created page with "serial number: # ipsctl -a | grep serial [[category:check point]] [[category:nokia]]" wikitext text/x-wiki serial number: # ipsctl -a | grep serial [[category:check point]] [[category:nokia]] nokia - time since last vrrp faillover 0 81 478 129 2014-05-24T20:37:56Z Nighthawk 1 wikitext text/x-wiki '''time since last failover''' run from shell # clish -c "show vrrp interfaces"| grep -i time or # echo show vrrp int | iclid |grep -E "State|Interface" [[category:check point]] [[category:nokia]] 129 2013-05-24T15:22:16Z Nighthawk 1 Created page with " '''time since last failover''' run from shell # echo show vrrp int | iclid |grep -E "State|Interface" [[category:check point]] [[category:nokia]]" wikitext text/x-wiki '''time since last failover''' run from shell # echo show vrrp int | iclid |grep -E "State|Interface" [[category:check point]] [[category:nokia]] nokia aggregate interface setup via CLI 0 96 602 156 2016-08-05T05:02:19Z Nighthawk 1 wikitext text/x-wiki set member interface parameters, then must all match clish -c "set interface eth-s4p2 duplex full" clish -c "set interface eth-s4p3 duplex full" clish -c "set interface eth-s4p4 duplex full" clish -c "set interface eth-s4p2 speed 1000M" clish -c "set interface eth-s4p3 speed 1000M" clish -c "set interface eth-s4p4 speed 1000M" add interfaces above to group (need to create group 1st?... not sure) clish -c "add linkaggregation group 1" clish -c "add linkaggregation group 1 port eth-s4p2 type primary" clish -c "add linkaggregation group 1 port eth-s4p3" clish -c "add linkaggregation group 1 port eth-s4p4" configure aggregate interface clish -c "set interface ae1 active on" clish -c "set interface ae1 duplex full" clish -c "set interface ae1 speed 3000M" clish -c "set interface ae1c0 logical-name ae1c0" clish -c "add interface ae1c0 address 192.168.1.1/24" [[category:nokia]] a5ba5908da1364abee26961aecb2c88e61a52ed7 156 2013-07-03T14:41:52Z Nighthawk 1 Created page with "set member interface parameters, then must all match clish -c "set interface eth-s4p2 duplex full" clish -c "set interface eth-s4p3 duplex full" clish -c "set interface eth..." wikitext text/x-wiki set member interface parameters, then must all match clish -c "set interface eth-s4p2 duplex full" clish -c "set interface eth-s4p3 duplex full" clish -c "set interface eth-s4p4 duplex full" clish -c "set interface eth-s4p2 speed 1000M" clish -c "set interface eth-s4p3 speed 1000M" clish -c "set interface eth-s4p4 speed 1000M" add interfaces above to group (need to create group 1st?... not sure) clish -c "add linkaggregation group 1" clish -c "add linkaggregation group 1 port eth-s4p2 type primary" clish -c "add linkaggregation group 1 port eth-s4p3" clish -c "add linkaggregation group 1 port eth-s4p4" configure aggregate interface clish -c "set interface ae1 active on" clish -c "set interface ae1 duplex full" clish -c "set interface ae1 speed 3000M" clish -c "set interface ae1c0 logical-name ae1c0" clish -c "add interface ae1c0 address 10.206.15.1/30" [[category:nokia]] nokia config active routes and arps 0 127 302 2013-11-05T04:49:29Z Nighthawk 1 Created page with " == to get a backup / snapshot of routes... == # cat /config/active | grep static == proxy arps == # cat /config/active | grep -i arp | grep proxy-only | grep macaddr [[c..." wikitext text/x-wiki == to get a backup / snapshot of routes... == # cat /config/active | grep static == proxy arps == # cat /config/active | grep -i arp | grep proxy-only | grep macaddr [[category:nokia]] nokia cpu info 0 105 190 189 2013-07-19T17:38:40Z Nighthawk 1 wikitext text/x-wiki command to gather cpu information. The number of CPU cores can be determined as well. '''Example:'''[[Link title]] (from IP2450) nokiafw[admin]# '''ipsctl -a |grep -i cpu''' kern:nokfw:callouts:CPU:0 = 0 kern:nokfw:callouts:CPU:1 = 0 kern:nokfw:callouts:CPU:2 = 927044562 kern:nokfw:callouts:CPU:3 = 55679468 kern:nokfw:callouts:CPU:4 = 55682630 kern:nokfw:callouts:CPU:5 = 55682991 kern:nokfw:callouts:CPU:6 = 55680200 kern:nokfw:callouts:CPU:7 = 55680035 net:taskq:id:0:irq_cpu = 0 net:taskq:id:1:irq_cpu = 1 net:ip:cluster:cpu_type = 0 net:ip:cluster:cpu_speed = 0 hw:sys_stat:temp:8:location = CPU8 TEMPERATURE hw:sys_stat:temp:7:location = CPU7 TEMPERATURE hw:sys_stat:temp:6:location = CPU6 TEMPERATURE hw:sys_stat:temp:5:location = CPU5 TEMPERATURE hw:sys_stat:temp:4:location = CPU4 TEMPERATURE hw:sys_stat:temp:3:location = CPU3 TEMPERATURE hw:sys_stat:temp:2:location = CPU2 TEMPERATURE hw:sys_stat:temp:1:location = CPU1 TEMPERATURE hw:sys_stat:volt:11:location = CPU2_CORE-V w:sys_stat:volt:3:location = CPU1_CORE-V hw:sys_stat:fan:12:location = CPU2_FAN2 hw:sys_stat:fan:11:location = CPU2_FAN1 hw:sys_stat:fan:10:location = CPU1_FAN2 hw:sys_stat:fan:9:location = CPU1_FAN1 hw:cpu_topo:0:mask = 15 hw:cpu_topo:0:child:0:mask = 3 hw:cpu_topo:0:child:1:mask = 12 hw:cpu_topo:1:mask = 240 hw:cpu_topo:1:child:0:mask = 48 hw:cpu_topo:1:child:1:mask = 192 hw:ncpupkgs = 2 hw:cpu:0:freq = 2660 hw:cpu:0:model = Intel(R) Xeon(R) CPU X5355 @ 2.66GHz hw:cpu:0:mfr = GenuineIntel 189 2013-07-19T17:38:28Z Nighthawk 1 Created page with "command to gather cpu information. The number of CPUs can be determined as well. '''Example:'''[[Link title]] (from IP2450) nokiafw[admin]# '''ipsctl -a |grep -i cpu''' ..." wikitext text/x-wiki command to gather cpu information. The number of CPUs can be determined as well. '''Example:'''[[Link title]] (from IP2450) nokiafw[admin]# '''ipsctl -a |grep -i cpu''' kern:nokfw:callouts:CPU:0 = 0 kern:nokfw:callouts:CPU:1 = 0 kern:nokfw:callouts:CPU:2 = 927044562 kern:nokfw:callouts:CPU:3 = 55679468 kern:nokfw:callouts:CPU:4 = 55682630 kern:nokfw:callouts:CPU:5 = 55682991 kern:nokfw:callouts:CPU:6 = 55680200 kern:nokfw:callouts:CPU:7 = 55680035 net:taskq:id:0:irq_cpu = 0 net:taskq:id:1:irq_cpu = 1 net:ip:cluster:cpu_type = 0 net:ip:cluster:cpu_speed = 0 hw:sys_stat:temp:8:location = CPU8 TEMPERATURE hw:sys_stat:temp:7:location = CPU7 TEMPERATURE hw:sys_stat:temp:6:location = CPU6 TEMPERATURE hw:sys_stat:temp:5:location = CPU5 TEMPERATURE hw:sys_stat:temp:4:location = CPU4 TEMPERATURE hw:sys_stat:temp:3:location = CPU3 TEMPERATURE hw:sys_stat:temp:2:location = CPU2 TEMPERATURE hw:sys_stat:temp:1:location = CPU1 TEMPERATURE hw:sys_stat:volt:11:location = CPU2_CORE-V w:sys_stat:volt:3:location = CPU1_CORE-V hw:sys_stat:fan:12:location = CPU2_FAN2 hw:sys_stat:fan:11:location = CPU2_FAN1 hw:sys_stat:fan:10:location = CPU1_FAN2 hw:sys_stat:fan:9:location = CPU1_FAN1 hw:cpu_topo:0:mask = 15 hw:cpu_topo:0:child:0:mask = 3 hw:cpu_topo:0:child:1:mask = 12 hw:cpu_topo:1:mask = 240 hw:cpu_topo:1:child:0:mask = 48 hw:cpu_topo:1:child:1:mask = 192 hw:ncpupkgs = 2 hw:cpu:0:freq = 2660 hw:cpu:0:model = Intel(R) Xeon(R) CPU X5355 @ 2.66GHz hw:cpu:0:mfr = GenuineIntel nokia cpu monitoring 0 157 558 432 2015-07-27T12:20:25Z Nighthawk 1 wikitext text/x-wiki view individual cpu stats # top -SHp last pid: 61252; load averages: 0.31, 0.37, 0.35 up 229+17:51:01 21:24:55 132 processes: 9 running, 97 sleeping, 1 zombie, 25 waiting CPU00: 0.5% user, 0.0% nice, 3.5% system, 4.5% interrupt, 91.5% idle CPU01: 0.0% user, 0.0% nice, 0.4% system, 5.4% interrupt, 94.2% idle CPU02: 0.0% user, 0.0% nice, 0.6% system, 2.9% interrupt, 96.5% idle CPU03: 0.1% user, 0.0% nice, 0.4% system, 2.0% interrupt, 97.6% idle CPU04: 0.3% user, 0.0% nice, 1.1% system, 4.0% interrupt, 94.7% idle CPU05: 0.1% user, 0.0% nice, 0.7% system, 2.5% interrupt, 96.7% idle CPU06: 0.0% user, 0.0% nice, 0.2% system, 4.7% interrupt, 95.1% idle CPU07: 0.0% user, 0.0% nice, 0.1% system, 3.2% interrupt, 96.6% idle Mem: 320M Active, 365M Inact, 1173M Wired, 8K Cache, 99M Buf, 641M Free Swap: 8192M Total, 8192M Free PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND 14 root 171 52 0K 16K CPU3 3 5325.8 100.00% idle: cpu3 12 root 171 52 0K 16K CPU5 5 5314.1 100.00% idle: cpu5 15 root 171 52 0K 16K CPU2 2 5247.5 100.00% idle: cpu2 13 root 171 52 0K 16K RUN 4 5225.1 97.46% idle: cpu4 10 root 171 52 0K 16K CPU7 7 5298.0 95.46% idle: cpu7 11 root 171 52 0K 16K CPU6 6 5294.7 95.36% idle: cpu6 16 root 171 52 0K 16K CPU1 1 5285.3 94.48% idle: cpu1 variation # top -mio -SHp [[category:nokia]] [[category:performance]] 432 2014-05-02T21:28:04Z Nighthawk 1 Created page with "view individual cpu stats # top -SHp last pid: 61252; load averages: 0.31, 0.37, 0.35 up 229+17:51:01 21:2..." wikitext text/x-wiki view individual cpu stats # top -SHp last pid: 61252; load averages: 0.31, 0.37, 0.35 up 229+17:51:01 21:24:55 132 processes: 9 running, 97 sleeping, 1 zombie, 25 waiting CPU00: 0.5% user, 0.0% nice, 3.5% system, 4.5% interrupt, 91.5% idle CPU01: 0.0% user, 0.0% nice, 0.4% system, 5.4% interrupt, 94.2% idle CPU02: 0.0% user, 0.0% nice, 0.6% system, 2.9% interrupt, 96.5% idle CPU03: 0.1% user, 0.0% nice, 0.4% system, 2.0% interrupt, 97.6% idle CPU04: 0.3% user, 0.0% nice, 1.1% system, 4.0% interrupt, 94.7% idle CPU05: 0.1% user, 0.0% nice, 0.7% system, 2.5% interrupt, 96.7% idle CPU06: 0.0% user, 0.0% nice, 0.2% system, 4.7% interrupt, 95.1% idle CPU07: 0.0% user, 0.0% nice, 0.1% system, 3.2% interrupt, 96.6% idle Mem: 320M Active, 365M Inact, 1173M Wired, 8K Cache, 99M Buf, 641M Free Swap: 8192M Total, 8192M Free PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND 14 root 171 52 0K 16K CPU3 3 5325.8 100.00% idle: cpu3 12 root 171 52 0K 16K CPU5 5 5314.1 100.00% idle: cpu5 15 root 171 52 0K 16K CPU2 2 5247.5 100.00% idle: cpu2 13 root 171 52 0K 16K RUN 4 5225.1 97.46% idle: cpu4 10 root 171 52 0K 16K CPU7 7 5298.0 95.46% idle: cpu7 11 root 171 52 0K 16K CPU6 6 5294.7 95.36% idle: cpu6 16 root 171 52 0K 16K CPU1 1 5285.3 94.48% idle: cpu1 [[category:nokia]] [[category:performance]] nokia db debug mode via console 0 125 429 428 2014-04-30T19:40:21Z Nighthawk 1 moved [[console]] to [[nokia db debug mode via console]] wikitext text/x-wiki == nokia db debug mode via console == This article desribes how to break, interrupt, debug or reboot a nokia from the console... without having to login to a tty. To do so, we need to... 1. Send a break via the console 2. Enter the debug mode == Send break == for a WTI scm, send break by default is '''ctrl \''' for a telnet console, '''ctrl ]''' then at the telnet prompt... telnet> send break <enter> == Enter debug mode == on nokia firewalls, after the send break there is no "feedback". To enter ipso debug mode, type the following within a couple of seconds following the send break '''ddb <enter>''' if successful, you will see the following prompt... db> type help for a list of available commands. these vary by platform. db> '''help''' print p examine x search set write w delete d break b dwatch watch dhwatch hwatch step s continue c until next match trace t alltrace where bt call show ps gdb halt reboot reset kill watchdog thread panic if you want to reboot, and the option isn't present as above, use panic. [[category:console]] 428 278 2014-04-30T19:39:59Z Nighthawk 1 wikitext text/x-wiki == nokia db debug mode via console == This article desribes how to break, interrupt, debug or reboot a nokia from the console... without having to login to a tty. To do so, we need to... 1. Send a break via the console 2. Enter the debug mode == Send break == for a WTI scm, send break by default is '''ctrl \''' for a telnet console, '''ctrl ]''' then at the telnet prompt... telnet> send break <enter> == Enter debug mode == on nokia firewalls, after the send break there is no "feedback". To enter ipso debug mode, type the following within a couple of seconds following the send break '''ddb <enter>''' if successful, you will see the following prompt... db> type help for a list of available commands. these vary by platform. db> '''help''' print p examine x search set write w delete d break b dwatch watch dhwatch hwatch step s continue c until next match trace t alltrace where bt call show ps gdb halt reboot reset kill watchdog thread panic if you want to reboot, and the option isn't present as above, use panic. [[category:console]] 278 2013-09-28T03:26:43Z Nighthawk 1 Created page with "WTI scm send break '''ctrl \''' on nokia firewalls, after the send break there is no "feedback". To enter ipso debug mode: '''ddb''' db> type help for a list of av..." wikitext text/x-wiki WTI scm send break '''ctrl \''' on nokia firewalls, after the send break there is no "feedback". To enter ipso debug mode: '''ddb''' db> type help for a list of available commands. these vary by platform. db> '''help''' print p examine x search set write w delete d break b dwatch watch dhwatch hwatch step s continue c until next match trace t alltrace where bt call show ps gdb halt reboot reset kill watchdog thread panic [[category:console]] nokia firewall boot manager upgrade command 0 58 286 285 2013-10-24T04:28:11Z Nighthawk 1 wikitext text/x-wiki '''bootmgr upgrade cmds''' '''ipso 6.x''' upgrade_bootmgr /var/emhome/admin/nkipflash-6.2-GA029a02.bin '''ipso 4.1(needs device parameter)''' to check/determine boot manager device number... ipsctl kern:bootmgr:bmdev where X = device number from above upgrade_bootmgr /dev/wdX /var/emhome/admin/nkipflash-6.2-GA029a02.bin example: upgrade_bootmgr /dev/wd1 /var/emhome/admin/nkipflash-6.2-GA029a02.bin [[category:nokia]] 285 67 2013-10-24T04:27:59Z Nighthawk 1 wikitext text/x-wiki '''bootmgr upgrade cmds''' '''ipso 6.x''' upgrade_bootmgr /var/emhome/admin/nkipflash-6.2-GA029a02.bin '''ipso 4.1(needs device parameter)''' to check/determine boot manager device number... ipsctl kern:bootmgr:bmdev where X = device number from above upgrade_bootmgr /dev/wdX /var/emhome/admin/nkipflash-6.2-GA029a02.bin example: upgrade_bootmgr /dev/wd1 /var/emhome/admin/nkipflash-6.2-GA029a02.bin [[category:nokia]] 67 66 2013-04-21T03:02:55Z Nighthawk 1 wikitext text/x-wiki determine boot manager device number ipsctl kern:bootmgr:bmdev where X = device number from above upgrade_bootmgr /dev/wdX /var/emhome/admin/nkipflash-6.2-GA029a02.bin [[category:nokia]] 66 2013-04-21T03:00:40Z Nighthawk 1 Created page with "asdf" wikitext text/x-wiki asdf nokia ipso double default gateway check 0 73 102 2013-05-18T05:46:19Z Nighthawk 1 Created page with "This command is useful after installing IPSO and restoring a config. Sometimes the default gateway set for the IPSO install will linger... firewall1[admin]# cat /config/acti..." wikitext text/x-wiki This command is useful after installing IPSO and restoring a config. Sometimes the default gateway set for the IPSO install will linger... firewall1[admin]# cat /config/active | grep "default:gateway:address" | grep " t" | wc -l [[category:ipso]] nokia ipso verify hotfixes installed 0 199 601 2016-07-24T01:51:53Z Nighthawk 1 Created page with "<source lang="bash"> # cpvinfo /opt/CPsuite-R75.20/fw1/boot/modules/fwmod.o | grep -i minor Minor Release = foxx_hf_ha30_390 </source>" wikitext text/x-wiki <source lang="bash"> # cpvinfo /opt/CPsuite-R75.20/fw1/boot/modules/fwmod.o | grep -i minor Minor Release = foxx_hf_ha30_390 </source> 2f3cf9001f5be7b226fdfa25e9b263d3c57ce303 nokia legacy vrrp failover 0 179 514 513 2014-07-12T18:27:52Z Nighthawk 1 wikitext text/x-wiki O.S. version: IPSO 4.2 If stuck working on and archaic firewall with a legacy vrrp setup, vrids must be failed over individually. The commands are below as shown by a one-liner script that will output the commands needed for you. # clish -c "show vrrp interfaces" | grep -E "Interface|VRID" | awk '{ if ($1=="Interface") printf "clish -c \"set vrrp interface %s ", $2; else printf "monitored-circuit vrid %s priority 105\"\n",$2;}' monitored-circuit vrid Interfaces priority 105" '''<<<ignore first line of output''' clish -c "set vrrp interface eth-s1/s1p1c0 monitored-circuit vrid 48 priority 105" clish -c "set vrrp interface eth-s1/s2p2c1 monitored-circuit vrid 153 priority 105" clish -c "set vrrp interface eth-s1/s2p2c10 monitored-circuit vrid 165 priority 105" clish -c "set vrrp interface eth-s1/s2p2c11 monitored-circuit vrid 164 priority 105" clish -c "set vrrp interface eth-s1/s2p2c12 monitored-circuit vrid 167 priority 105" [[category:nokia]] [[category:ipso]] [[category:vrrp]] 513 512 2014-07-12T18:27:43Z Nighthawk 1 wikitext text/x-wiki O.S. version: IPSO 4.2 If stuck working on and archaic firewall with a legacy vrrp setup, vrids must be failed over individually. The commands are below as shown by a one-liner script that will output the commands needed for you. # clish -c "show vrrp interfaces" | grep -E "Interface|VRID" | awk '{ if ($1=="Interface") printf "clish -c \"set vrrp interface %s ", $2; else printf "monitored-circuit vrid %s priority 105\"\n",$2;}' monitored-circuit vrid Interfaces priority 105" '''<<<ignore first line of output''' clish -c "set vrrp interface eth-s1/s1p1c0 monitored-circuit vrid 48 priority 105" clish -c "set vrrp interface eth-s1/s2p2c1 monitored-circuit vrid 153 priority 105" clish -c "set vrrp interface eth-s1/s2p2c10 monitored-circuit vrid 165 priority 105" clish -c "set vrrp interface eth-s1/s2p2c11 monitored-circuit vrid 164 priority 105" clish -c "set vrrp interface eth-s1/s2p2c12 monitored-circuit vrid 167 priority 105" [[category:nokia]] [[category:ipso]] [[category:vrrp]] 512 2014-07-12T18:27:17Z Nighthawk 1 Created page with "O.S. version: IPSO 4.2 If stuck working on and archaic firewall with a legacy vrrp setup, vrids must be failed over individually. The commands are below as shown by a one-l..." wikitext text/x-wiki O.S. version: IPSO 4.2 If stuck working on and archaic firewall with a legacy vrrp setup, vrids must be failed over individually. The commands are below as shown by a one-liner script that will output the commands needed for you. # clish -c "show vrrp interfaces" | grep -E "Interface|VRID" | awk '{ if ($1=="Interface") printf "clish -c \"set vrrp interface %s ", $2; else printf "monitored-circuit vrid %s priority 105\"\n",$2;}' monitored-circuit vrid Interfaces priority 105" '''<<<ignore first line of output''' clish -c "set vrrp interface eth-s1/s1p1c0 monitored-circuit vrid 48 priority 105" clish -c "set vrrp interface eth-s1/s2p2c1 monitored-circuit vrid 153 priority 105" clish -c "set vrrp interface eth-s1/s2p2c10 monitored-circuit vrid 165 priority 105" clish -c "set vrrp interface eth-s1/s2p2c11 monitored-circuit vrid 164 priority 105" clish -c "set vrrp interface eth-s1/s2p2c12 monitored-circuit vrid 167 priority 105" [[category:nokia]] [[category:ipso]] [[category:vrrp]] opengear console notes 0 265 890 889 2023-12-15T15:18:24Z Nighthawk 1 wikitext text/x-wiki to enter portmanager shell, run ''pmshell'' example: $ pmshell 1: Router 4: PDU 6: ISR 8: Switch 33: Front, Upper 34: Front, Lower Connect to port > to connect to a port, just type the number followed by <enter> escape character: * By default, the escape character is: ~ * If you are connected using the OpenSSH command line client, e.g. from Mac or Linux system, you must type a second ~ to trigger the escape, i.e.: ~~ * An alternate escape character may be set under Serial & Network -> Serial Port -> Edit/Edit Multiple Ports -> Escape Character * The escape character must be the first character on a new line Shell Commands: ~b - Generate BREAK ~h - View history ~p - Power menu ~c - Port Configuration menu ~u – User sessions disconnect menu ~m - Connect to port menu ~. - Exit pmshell ~? - Show this message a34a4641332731eb8ea0385034f0bc6dd07772a1 889 2023-12-15T15:17:54Z Nighthawk 1 Created page with "to enter portmanager shell, run ''pmshell'' example: $ pmshell 1: Router 4: PDU 6: ISR 8: Switch 33: Front, Upper 34: Front, Lowe..." wikitext text/x-wiki to enter portmanager shell, run ''pmshell'' example: $ pmshell 1: Router 4: PDU 6: ISR 8: Switch 33: Front, Upper 34: Front, Lower Connect to port > escape character: * By default, the escape character is: ~ * If you are connected using the OpenSSH command line client, e.g. from Mac or Linux system, you must type a second ~ to trigger the escape, i.e.: ~~ * An alternate escape character may be set under Serial & Network -> Serial Port -> Edit/Edit Multiple Ports -> Escape Character * The escape character must be the first character on a new line Shell Commands: ~b - Generate BREAK ~h - View history ~p - Power menu ~c - Port Configuration menu ~u – User sessions disconnect menu ~m - Connect to port menu ~. - Exit pmshell ~? - Show this message 4256eb0f1e5e80aba27dd09d7cedfeafed2b6ec2 palo alto api 0 252 837 2019-09-16T22:44:17Z Nighthawk 1 Created page with " [https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api.html PAN-OS® and Panorama™ API Guide] ==panxapi== co..." wikitext text/x-wiki [https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api.html PAN-OS® and Panorama™ API Guide] ==panxapi== command line program for accessing the PAN-OS XML API [https://github.com/kevinsteves/pan-python/blob/master/doc/panxapi.rst panxapi.py documentation] [[category:palo alto]] [[category:api]] affa1214ad5202d226d6d89817b1101f2f1e0e84 palo alto panorama 0 41 46 2013-04-09T14:52:14Z Nighthawk 1 Created page with "quick start guide https://sites.google.com/site/panfirewall/panorama \ [[category:pan]]" wikitext text/x-wiki quick start guide https://sites.google.com/site/panfirewall/panorama \ [[category:pan]] panorama api 0 251 836 835 2019-08-23T17:31:58Z Nighthawk 1 wikitext text/x-wiki login for token / key $ curl -k "https://<''hostname|ip''>/api/?type=keygen&user=<username>&password=<password>" example... curl -k "https://192.168.1.1/api/?type=keygen&user=admin&password=admin" <response status = 'success'><result><key>LUFRPT1jMUFXZHlNdDBPVTEya0lQNWorTyttYURFNmM9UHdvL2REWWUyaWFIU1hlZHdiRU5BQT09</key></result></response> Get a list of firewalls that Panorama manages: https://<''hostname|ip''>/api/?type=op&cmd=<show><devices><all></all></devices></show> curl example curl -kg "https://192.168.1.1/api/?type=op&cmd=<show><devices><all></all></devices></show>&key=LUFRPT1jMUFXZHlNdDBPVTEya0lQNWorTyttYURFNmM9UHdvL2REWWUyaWFIU1hlZHdiRU5BQT09" 94859ccb38cd9df1dbd1e9b59a5934fa44310468 835 2019-08-23T17:23:12Z Nighthawk 1 Created page with " login for token / key $ curl -k "https://<hostname|ip>/api/?type=keygen&user=<username>&password=<password>" Get a list of firewalls that Panorama manages: https://p..." wikitext text/x-wiki login for token / key $ curl -k "https://<hostname|ip>/api/?type=keygen&user=<username>&password=<password>" Get a list of firewalls that Panorama manages: https://panorama/api/?type=op&cmd=<show><devices><all></all></devices></show> 6b827bbcb07c88d16b7bcd6771af4e362068355a policy installation status via CLI 0 112 679 678 2017-08-21T20:47:56Z Nighthawk 1 wikitext text/x-wiki These commands can be used to query policy info for firewalls. The cpmistat command is executed on Security Management Server / Domain Security Management Server. The firewall name should be a standalone firewall or a cluster member. It won't work for cluster objects. Many other parameters are available via cpmistat. get name of policy installed on a firewalls # cpmistat -r fw ''firewall_name'' | grep fwStatus.fwPolicyStat.fwPolicyName get install time # cpmistat -r fw ''firewall_name'' | grep fwStatus.fwPolicyStat.fwInstallTime [[category:cpmistat]] 406a8f10dfcfadc2eccbd292bd29e4062212a1ca 678 204 2017-08-16T15:59:19Z Nighthawk 1 wikitext text/x-wiki These commands can be used to query policy info for firewalls. The cpmistat command is executed on Security Management Server / Domain Security Management Server. The firewall name should be a standalone firewall or a cluster member. It won't work for cluster objects. Many other parameters are available via cpmistat. get name of policy installed on a firewalls # cpmistat -r fw ''firewall_name'' | grep fwStatus.fwPolicyStat.fwPolicyName get install time # cpmistat -r fw ''firewall_name'' | grep fwStatus.fwPolicyStat. [[category:cpmistat]] ac76fd1a3fb419b7b3660eddbca313f9e27cde7d 204 2013-08-20T20:56:41Z Nighthawk 1 Created page with "get name of policy installed on a firewalls cpmistat -o snmp -r fw ''firewall_name'' | grep fwStatus.fwPolicyStat.fwPolicyName [[category:cpmistat]]" wikitext text/x-wiki get name of policy installed on a firewalls cpmistat -o snmp -r fw ''firewall_name'' | grep fwStatus.fwPolicyStat.fwPolicyName [[category:cpmistat]] project - chkp to PAN migration 0 60 80 79 2013-04-26T17:43:36Z Nighthawk 1 wikitext text/x-wiki Check Point to Palo Alto Firewall rules and objects migration procedure == problems == splitting management and passthrough firewall rules dealing with trust / untrust zones (zone to zone mapping) check point firewall object IP netmask issue PolicyName.W bug nat rule import error... [[file:pan_load_migrated_config_nat_rule_errors.png]] == nice to haves == pull ntp config [[category:PAN]] 79 2013-04-26T17:42:51Z Nighthawk 1 Pushed from Themanclub. wikitext text/x-wiki == problems == splitting management and passthrough firewall rules dealing with trust / untrust zones (zone to zone mapping) check point firewall object IP netmask issue PolicyName.W bug nat rule import error... [[file:pan_load_migrated_config_nat_rule_errors.png]] == nice to haves == pull ntp config [[category:PAN]] project - log settings identify 0 124 298 297 2013-11-01T16:57:27Z Nighthawk 1 /* scratch */ wikitext text/x-wiki == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ ###indentify all firewalls cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep self_log_server | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep forward_logs | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep log_switch_before_forwarding | sed -n 's/.*($[^ ]*$)/\1/p' cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep -A 1 log_forward_target | grep ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' '''multiple results possible''' cpmiquerybin object "" network_objects "name='$firewall_name'" | sed -n -e '/:send_logs_to/,/:self_log_server/ p' | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' | tr '\n' ' ' cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | sed -n -e '/backup_log_servers/,/:send_alerts_to/ p'| grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' | tr '\n' ' ' 297 296 2013-10-31T17:25:16Z Nighthawk 1 /* scratch */ wikitext text/x-wiki == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ ###indentify all firewalls cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep self_log_server | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep forward_logs | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep log_switch_before_forwarding | sed -n 's/.*($[^ ]*$)/\1/p' cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep -A 1 log_forward_target | grep ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' '''multiple results possible''' cpmiquerybin object "" network_objects "name='$firewall_name'" | sed -n -e '/:send_logs_to/,/:self_log_server/ p' | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' | tr '\n' ' ' cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | sed -n -e '/backup_log_servers/,/:send_alerts_to/ p'| grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' | tr '\n' ' ' backup_log_servers 296 295 2013-10-31T17:22:49Z Nighthawk 1 /* scratch */ wikitext text/x-wiki == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ ###indentify all firewalls cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep self_log_server | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep forward_logs | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep log_switch_before_forwarding | sed -n 's/.*($[^ ]*$)/\1/p' cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep -A 1 log_forward_target | grep ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' '''multiple results possible''' cpmiquerybin object "" network_objects "name='$firewall_name'" | sed -n -e '/:send_logs_to/,/:self_log_server/ p' | grep -E ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' | tr '\n' ' ' cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | sed -n -e '/backup_log_servers/,/:send_alerts_to/ p' | grep -E ":Name |self_log_server (true)" backup_log_servers 295 294 2013-10-31T17:13:21Z Nighthawk 1 /* scratch */ wikitext text/x-wiki == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ ###indentify all firewalls cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep self_log_server | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep forward_logs | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep log_switch_before_forwarding | sed -n 's/.*($[^ ]*$)/\1/p' cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | grep -A 1 log_forward_target | grep ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' '''multiple results possible''' cpmiquerybin object "" network_objects "name='$FIREWALL_NAME'" | sed -n -e '/:send_logs_to/,/:self_log_server/ p' | grep -E ":Name |self_log_server (true)" backup_log_servers 294 293 2013-10-31T17:10:58Z Nighthawk 1 /* scratch */ wikitext text/x-wiki == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ ###indentify all firewalls cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep self_log_server | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep forward_logs | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep log_switch_before_forwarding | sed -n 's/.*($[^ ]*$)/\1/p' cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep -A 1 log_forward_target | grep ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' '''multiple results possible''' cpmiquerybin object "" network_objects "name='firewall_name'" | sed -n -e '/:send_logs_to/,/:self_log_server/ p' | grep -E ":Name |self_log_server (true)" backup_log_servers 293 292 2013-10-31T16:37:09Z Nighthawk 1 /* scratch */ wikitext text/x-wiki == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ ###indentify all firewalls cpmiquerybin object "" network_objects "name='firewall_name'" | sed -n -e '/:send_logs_to/,/:self_log_server/ p' | grep -E ":Name |self_log_server (true)" cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep forward_logs | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep log_switch_before_forwarding | sed -n 's/.*($[^ ]*$)/\1/p' cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep -A 1 log_forward_target | grep ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' 292 291 2013-10-31T16:19:45Z Nighthawk 1 wikitext text/x-wiki == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ ###indentify all firewalls cpmiquerybin object "" network_objects "name='firewall_name'" | sed -n -e '/:send_logs_to/,/:self_log_server/ p' | grep -E ":Name |self_log_server (true)" cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep forward_logs | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep log_switch_before_forwarding | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep -A 1 log_forward_target | grep ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' 291 290 2013-10-31T16:08:25Z Nighthawk 1 /* scratch */ wikitext text/x-wiki == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ ###indentify all firewalls cpmiquerybin object "" network_objects "name='firewall_name'" | sed -n -e '/:send_logs_to/,/:self_log_server/ p' | grep -E ":Name |self_log_server (true)" cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep forward_logs | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep -A 1 log_forward_target | grep ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' 290 289 2013-10-31T16:08:11Z Nighthawk 1 /* scratch */ wikitext text/x-wiki == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ ###indentify all firewalls cpmiquerybin object "" network_objects "name='firewall_name'" | sed -n -e '/:send_logs_to/,/:self_log_server/ p' | grep -E ":Name |self_log_server (true)" cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep forward_logs | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep -A 1 log_forward_target | grep ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' 289 288 2013-10-31T16:07:56Z Nighthawk 1 wikitext text/x-wiki == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ ###indentify all firewalls cpmiquerybin object "" network_objects "name='firewall_name'" | sed -n -e '/:send_logs_to/,/:self_log_server/ p' | grep -E ":Name |self_log_server (true)" cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep forward_logs | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep -A 1 log_forward_target | grep ":Name" | sed -n 's/.*($[^ ]*$)/\1/p' 288 273 2013-10-31T16:03:27Z Nighthawk 1 /* scratch */ wikitext text/x-wiki == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ ###indentify all firewalls cpmiquerybin object "" network_objects "name='firewall_name'" | sed -n -e '/:send_logs_to/,/:self_log_server/ p' | grep -E ":Name |self_log_server (true)" cpmiquerybin object "" network_objects "name='kdallabfw1'" | grep forward_logs | sed -n 's/.*($[^ ]*$)/\1/p' | grep -v ^$ 273 2013-09-23T21:39:02Z Nighthawk 1 Created page with " == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybi..." wikitext text/x-wiki == Problem: == indentify firewalls configured to log to CMA, or locally... anything except for CLM only. == script name: == ??? == scratch == mdsenv <ip> cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__ ###indentify all firewalls cpmiquerybin object "" network_objects "name='firewall_name'" | sed -n -e '/:send_logs_to/,/:self_log_server/ p' | grep -E ":Name |self_log_server (true)" queryDB util 0 110 283 200 2013-10-24T01:14:33Z Nighthawk 1 wikitext text/x-wiki == get group object members == network objects printf "localhost\n-t network_objects -o ''obj_grp'' -pf\n-q\n" | queryDB_util services printf "localhost\n-t services -o ''icmp-requests'' -pf\n-q\n" | queryDB_util [[category:CPMI]] 200 2013-07-29T20:26:21Z Nighthawk 1 Created page with " == get group object members == network objects printf "localhost\n-t network_objects -o obj_grp -pf\n-q\n" | queryDB_util | grep ": Name:" | sed -e 's/(Table: network_ob..." wikitext text/x-wiki == get group object members == network objects printf "localhost\n-t network_objects -o obj_grp -pf\n-q\n" | queryDB_util | grep ": Name:" | sed -e 's/(Table: network_objects) //g' | sed -e 's/Name: //g' | sed -e 's/ : //' services printf "localhost\n-t services -o icmp-requests -pf\n-q\n" | queryDB_util | grep ": Name:" | sed -e 's/(Table: services) //g' | sed -e 's/Name: //g' | sed -e 's/ ://' [[category:CPMI]] query rule hit counter db via command line 0 205 742 741 2018-04-13T18:35:52Z Nighthawk 1 /* example queries R80+ */ wikitext text/x-wiki ==example queries R80+== the database was moved from the sqlite file to postgres *** note **** case matters for the UID! all characters must be upper case it seems... show all hit count data for a specific rule uid # '''psql_client monitoring postgres -c "select hits,end_date from hitcount where rule_uid = '{0C8C26F9-7A52-4160-BB96-73AECEF13758}' limit 5"''' hits | end_date ------+--------------------- 4 | 2017-06-30 22:01:08 16 | 2017-07-01 22:01:06 16 | 2017-07-02 22:01:05 16 | 2017-07-03 22:01:03 16 | 2017-07-04 22:01:02 show # '''mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | {rule_number: ."rule-number",uid: .uid,hits: .hits.value}'''' "rule_number": 1, "uid": "1de8fab0-4858-4067-977d-1cbb5cd2e55d", "hits": 0 "rule_number": 2, "uid": "bbbfd8e6-72b6-4ff0-82ca-a9b0a6151d07", "hits": 19 "rule_number": 3, "uid": "bc69f34d-7ee8-47fe-a225-11b8e27e9a44", "hits": 16617 "rule_number": 4, "uid": "26373728-50df-49c3-b8d0-8895e350bc9f", "hits": 1187628 ==example queries R75.30== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="myfirewall"' hits per day for a firewall, within day range sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select date(start_date, "unixepoch") as day, SUM(hits) AS hits_total from HitCountRules where netobj_name="<my_firewall>" AND day between "2017-07-25" and "2017-09-14" GROUP by day' keywords: hit count, hitcount f1dac8e63af5c3455fa89ed28d1e76016bc60ea9 741 732 2018-04-13T18:35:40Z Nighthawk 1 /* example queries R80+ */ wikitext text/x-wiki ==example queries R80+== the database was moved from the sqlite file to postgres *** note **** case matters for the UID! all characters must be upper case it seems... show all hit count data for a specific rule uid # '''psql_client monitoring postgres -c "select hits,end_date from hitcount where rule_uid = '{0C8C26F9-7A52-4160-BB96-73AECEF13758}' limit 5"''' hits | end_date ------+--------------------- 4 | 2017-06-30 22:01:08 16 | 2017-07-01 22:01:06 16 | 2017-07-02 22:01:05 16 | 2017-07-03 22:01:03 16 | 2017-07-04 22:01:02 show # '''mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | {rule_number: ."rule-number",uid: .uid,hits: .hits.value}'''' "rule_number": 1, "uid": "1de8fab0-4858-4067-977d-1cbb5cd2e55d", "hits": 0 "rule_number": 2, "uid": "bbbfd8e6-72b6-4ff0-82ca-a9b0a6151d07", "hits": 19 "rule_number": 3, "uid": "bc69f34d-7ee8-47fe-a225-11b8e27e9a44", "hits": 16617 "rule_number": 4, "uid": "26373728-50df-49c3-b8d0-8895e350bc9f", "hits": 1187628 ==example queries R75.30== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="myfirewall"' hits per day for a firewall, within day range sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select date(start_date, "unixepoch") as day, SUM(hits) AS hits_total from HitCountRules where netobj_name="<my_firewall>" AND day between "2017-07-25" and "2017-09-14" GROUP by day' keywords: hit count, hitcount 514f13a26f60192e01f7960c58ff1238280125bd 732 731 2018-03-27T14:14:53Z Nighthawk 1 wikitext text/x-wiki ==example queries R80+== the database was moved from the sqlite file to postgres show all hit count data for a specific rule uid # '''psql_client monitoring postgres -c "select hits,end_date from hitcount where rule_uid = '{0C8C26F9-7A52-4160-BB96-73AECEF13758}' limit 5"''' hits | end_date ------+--------------------- 4 | 2017-06-30 22:01:08 16 | 2017-07-01 22:01:06 16 | 2017-07-02 22:01:05 16 | 2017-07-03 22:01:03 16 | 2017-07-04 22:01:02 show # '''mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | {rule_number: ."rule-number",uid: .uid,hits: .hits.value}'''' "rule_number": 1, "uid": "1de8fab0-4858-4067-977d-1cbb5cd2e55d", "hits": 0 "rule_number": 2, "uid": "bbbfd8e6-72b6-4ff0-82ca-a9b0a6151d07", "hits": 19 "rule_number": 3, "uid": "bc69f34d-7ee8-47fe-a225-11b8e27e9a44", "hits": 16617 "rule_number": 4, "uid": "26373728-50df-49c3-b8d0-8895e350bc9f", "hits": 1187628 ==example queries R75.30== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="myfirewall"' hits per day for a firewall, within day range sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select date(start_date, "unixepoch") as day, SUM(hits) AS hits_total from HitCountRules where netobj_name="<my_firewall>" AND day between "2017-07-25" and "2017-09-14" GROUP by day' keywords: hit count, hitcount 199b33c30bc02a45e1878ff541cd96d6aca935bd 731 730 2018-03-27T14:14:24Z Nighthawk 1 /* example queries R80+ */ wikitext text/x-wiki ==example queries R80+== the database was moved from the sqlite file to postgres show all hit count data for a specific rule uid # psql_client monitoring postgres -c "select hits,end_date from hitcount where rule_uid = '{0C8C26F9-7A52-4160-BB96-73AECEF13758}' limit 5" hits | end_date ------+--------------------- 4 | 2017-06-30 22:01:08 16 | 2017-07-01 22:01:06 16 | 2017-07-02 22:01:05 16 | 2017-07-03 22:01:03 16 | 2017-07-04 22:01:02 show # mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | {rule_number: ."rule-number",uid: .uid,hits: .hits.value}' "rule_number": 1, "uid": "1de8fab0-4858-4067-977d-1cbb5cd2e55d", "hits": 0 "rule_number": 2, "uid": "bbbfd8e6-72b6-4ff0-82ca-a9b0a6151d07", "hits": 19 "rule_number": 3, "uid": "bc69f34d-7ee8-47fe-a225-11b8e27e9a44", "hits": 16617 "rule_number": 4, "uid": "26373728-50df-49c3-b8d0-8895e350bc9f", "hits": 1187628 ==example queries R75.30== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="myfirewall"' hits per day for a firewall, within day range sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select date(start_date, "unixepoch") as day, SUM(hits) AS hits_total from HitCountRules where netobj_name="<my_firewall>" AND day between "2017-07-25" and "2017-09-14" GROUP by day' keywords: hit count, hitcount cbc54cf66ddc909ce844db3f7de4a85eace50968 730 687 2018-03-27T14:05:40Z Nighthawk 1 wikitext text/x-wiki ==example queries R80+== the database was moved from the sqlite file to postgres # psql_client monitoring postgres -c "select * from hitcount where rule_uid = '' limit 5" # mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | {rule_number: ."rule-number",uid: .uid,hits: .hits.value}' "rule_number": 1, "uid": "1de8fab0-4858-4067-977d-1cbb5cd2e55d", "hits": 0 "rule_number": 2, "uid": "bbbfd8e6-72b6-4ff0-82ca-a9b0a6151d07", "hits": 19 "rule_number": 3, "uid": "bc69f34d-7ee8-47fe-a225-11b8e27e9a44", "hits": 16617 "rule_number": 4, "uid": "26373728-50df-49c3-b8d0-8895e350bc9f", "hits": 1187628 ==example queries R75.30== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="myfirewall"' hits per day for a firewall, within day range sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select date(start_date, "unixepoch") as day, SUM(hits) AS hits_total from HitCountRules where netobj_name="<my_firewall>" AND day between "2017-07-25" and "2017-09-14" GROUP by day' keywords: hit count, hitcount c48624918e22b8e8cfc89b4b74e06b955facbeef 687 686 2017-09-14T16:21:05Z Nighthawk 1 wikitext text/x-wiki ==example query== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="myfirewall"' hits per day for a firewall, within day range sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select date(start_date, "unixepoch") as day, SUM(hits) AS hits_total from HitCountRules where netobj_name="<my_firewall>" AND day between "2017-07-25" and "2017-09-14" GROUP by day' keywords: hit count, hitcount aa9dfcfd33ce9bbd11123722ed820fb152fe3b36 686 685 2017-09-14T15:52:15Z Nighthawk 1 wikitext text/x-wiki ==example query== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="myfirewall"' keywords: hit count, hitcount c71295123d3a0b1fc58d906fb0128c8a6497bb94 685 684 2017-09-14T15:52:08Z Nighthawk 1 wikitext text/x-wiki ==example query== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="myfirewall"' keywords: hit count, hitcount 10843df011bc49a30d0f1a24691cc35cb40180a2 684 683 2017-09-14T04:00:48Z Nighthawk 1 wikitext text/x-wiki ==example query== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' keywords: hit count, hitcount d307e186d685dda386737d4bf657d11535553260 683 682 2017-08-23T16:31:14Z Nighthawk 1 Nighthawk moved page [[hit counter]] to [[query rule hit counter db via command line]] without leaving a redirect wikitext text/x-wiki ==example query== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="myfirewall" and rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' keywords: hit count, hitcount 14487da66d33f9758d6bbb39f48ad76c35821d95 682 628 2017-08-23T16:30:32Z Nighthawk 1 wikitext text/x-wiki ==example query== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="myfirewall" and rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' keywords: hit count, hitcount 14487da66d33f9758d6bbb39f48ad76c35821d95 628 627 2017-04-16T22:12:19Z Nighthawk 1 /* example query */ wikitext text/x-wiki ==example query== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="myfirewall" and rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' fde9153c8169b447ae05f885fc850ac52f341f67 627 620 2017-04-16T22:11:51Z Nighthawk 1 wikitext text/x-wiki ==example query== sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="PBROxxRCHVCP1" and rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' 4ff98b330ab3084cd20f02b64b332311bbf6d7cf 620 619 2017-04-16T21:49:49Z Nighthawk 1 wikitext text/x-wiki sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="PBROxxRCHVCP1" and rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' <syntaxhighlight lang="sql" class=wrap> sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="PBROxxRCHVCP1" and rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' </pre> </syntaxhighlight> 49da9d8aecb788ccb8b6f7ad52fba9f89eaaf313 619 618 2017-04-16T21:45:08Z Nighthawk 1 wikitext text/x-wiki <pre> sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="PBROxxRCHVCP1" and rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' </pre> <syntaxhighlight lang="sql" class=wrap> sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="PBROxxRCHVCP1" and rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' </pre> </syntaxhighlight> 148ed3b1189fdb27441facd08934e2061974c86f 618 617 2017-04-16T21:42:21Z Nighthawk 1 wikitext text/x-wiki <pre> sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="PBROxxRCHVCP1" and rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' </pre> <syntaxhighlight lang="bash" class=wrap> sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="PBROxxRCHVCP1" and rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' </pre> </syntaxhighlight> 2f7aac5263a515c30b4f735901941c903190ac33 617 616 2017-04-16T21:38:29Z Nighthawk 1 wikitext text/x-wiki <pre> <source lang="bash" inline> sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="PBROxxRCHVCP1" and rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' </source> </pre> 708cf8050e26b975746e50aea2672043b467632e 616 2017-04-16T21:30:44Z Nighthawk 1 Created page with " <syntaxhighlight lang="bash"> sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, net..." wikitext text/x-wiki <syntaxhighlight lang="bash"> sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="PBROxxRCHVCP1" and rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"' </syntaxhighlight> ec724810dcc6dc27f2a35f122ad3c76dff4d8d0a r80.10 what is new 0 231 777 776 2018-05-03T02:30:44Z Nighthawk 1 /* objects window */ wikitext text/x-wiki ==Unified Console== ===legacy apps gone?=== nope... [[file:unified_and_legacy_consoles.png]] ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] search is broken ===Gateway & Server View=== To use the MutliDomain view to launch a SmartConsole to the Domain(CMA) for a particular firewall of interest, 1) navigate to Gateways & Server View 2) find the firewall of interest 3) sort by Domain 4) right click the Domain Management object(CMA) in the same domain as the firewall and select View [[file:gateway_view.png]] ===Global Policy Assingment=== [[file:global_assing.png]] ==Policy Layers and Sub-Policies== ==Security Policies View== ===tabbed policies=== ===diffs=== objects window moved to the right side policy install status lower left ===Publishing Changes=== ===unpublished changes=== In earlier version of the SmartDashboard, if the client crashed or was disconnected then the changes were lost. This is not the case with r80+. Changes are saved on the Management server automatically. They do not take effect until published. ==troubleshooting== error message [[file:object_locked.png]] this is often due to an unpublished session. The unpublished session can be found under Manage & Settings > Sessions > View Sessions Look for session with locks and changes. If the Connection Mode show "Disconnected", then it is likely the source of the issue. An administrator can Publish, Discard or Take Over the session with the SmartConsole. [[file:session_disconnected.png]] 9aaa3a307e4ffa9d01357a0a349df5c0aacbfea6 776 774 2018-05-01T19:55:58Z Nighthawk 1 /* tabbed policies */ wikitext text/x-wiki ==Unified Console== ===legacy apps gone?=== nope... [[file:unified_and_legacy_consoles.png]] ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] search is broken ===Gateway & Server View=== To use the MutliDomain view to launch a SmartConsole to the Domain(CMA) for a particular firewall of interest, 1) navigate to Gateways & Server View 2) find the firewall of interest 3) sort by Domain 4) right click the Domain Management object(CMA) in the same domain as the firewall and select View [[file:gateway_view.png]] ===Global Policy Assingment=== [[file:global_assing.png]] ==Policy Layers and Sub-Policies== ==Security Policies View== ===tabbed policies=== ===objects window=== moved to the right side ===Publishing Changes=== ===unpublished changes=== In earlier version of the SmartDashboard, if the client crashed or was disconnected then the changes were lost. This is not the case with r80+. Changes are saved on the Management server automatically. They do not take effect until published. ==troubleshooting== error message [[file:object_locked.png]] this is often due to an unpublished session. The unpublished session can be found under Manage & Settings > Sessions > View Sessions Look for session with locks and changes. If the Connection Mode show "Disconnected", then it is likely the source of the issue. An administrator can Publish, Discard or Take Over the session with the SmartConsole. [[file:session_disconnected.png]] 0f793f5d1a5c570ccb93318028ebdfd94a094fef 774 773 2018-05-01T19:46:15Z Nighthawk 1 /* Unified Console */ wikitext text/x-wiki ==Unified Console== ===legacy apps gone?=== nope... [[file:unified_and_legacy_consoles.png]] ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] search is broken ===Gateway & Server View=== To use the MutliDomain view to launch a SmartConsole to the Domain(CMA) for a particular firewall of interest, 1) navigate to Gateways & Server View 2) find the firewall of interest 3) sort by Domain 4) right click the Domain Management object(CMA) in the same domain as the firewall and select View [[file:gateway_view.png]] ===Global Policy Assingment=== [[file:global_assing.png]] ==Policy Layers and Sub-Policies== ==Security Policies View== ===tabbed policies=== ===Publishing Changes=== ===unpublished changes=== In earlier version of the SmartDashboard, if the client crashed or was disconnected then the changes were lost. This is not the case with r80+. Changes are saved on the Management server automatically. They do not take effect until published. ==troubleshooting== error message [[file:object_locked.png]] this is often due to an unpublished session. The unpublished session can be found under Manage & Settings > Sessions > View Sessions Look for session with locks and changes. If the Connection Mode show "Disconnected", then it is likely the source of the issue. An administrator can Publish, Discard or Take Over the session with the SmartConsole. [[file:session_disconnected.png]] cba0b51ee893bb5710e86dd528e1fe94f12e564d 773 771 2018-04-25T14:41:14Z Nighthawk 1 /* Publishing Changes */ wikitext text/x-wiki ==Unified Console== ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] search is broken ===Gateway & Server View=== To use the MutliDomain view to launch a SmartConsole to the Domain(CMA) for a particular firewall of interest, 1) navigate to Gateways & Server View 2) find the firewall of interest 3) sort by Domain 4) right click the Domain Management object(CMA) in the same domain as the firewall and select View [[file:gateway_view.png]] ===Global Policy Assingment=== [[file:global_assing.png]] ==Policy Layers and Sub-Policies== ==Security Policies View== ===tabbed policies=== ===Publishing Changes=== ===unpublished changes=== In earlier version of the SmartDashboard, if the client crashed or was disconnected then the changes were lost. This is not the case with r80+. Changes are saved on the Management server automatically. They do not take effect until published. ==troubleshooting== error message [[file:object_locked.png]] this is often due to an unpublished session. The unpublished session can be found under Manage & Settings > Sessions > View Sessions Look for session with locks and changes. If the Connection Mode show "Disconnected", then it is likely the source of the issue. An administrator can Publish, Discard or Take Over the session with the SmartConsole. [[file:session_disconnected.png]] 26bfaf712430e31057eee485c0359eb1a7c0714c 771 769 2018-04-24T21:39:45Z Nighthawk 1 /* troubleshooting */ wikitext text/x-wiki ==Unified Console== ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] search is broken ===Gateway & Server View=== To use the MutliDomain view to launch a SmartConsole to the Domain(CMA) for a particular firewall of interest, 1) navigate to Gateways & Server View 2) find the firewall of interest 3) sort by Domain 4) right click the Domain Management object(CMA) in the same domain as the firewall and select View [[file:gateway_view.png]] ===Global Policy Assingment=== [[file:global_assing.png]] ==Policy Layers and Sub-Policies== ==Security Policies View== ===tabbed policies=== ==Publishing Changes== ===unpublished changes=== ==troubleshooting== error message [[file:object_locked.png]] this is often due to an unpublished session. The unpublished session can be found under Manage & Settings > Sessions > View Sessions Look for session with locks and changes. If the Connection Mode show "Disconnected", then it is likely the source of the issue. An administrator can Publish, Discard or Take Over the session with the SmartConsole. [[file:session_disconnected.png]] fc24512a3f1fb3f5223603fc884094c811a2d978 769 767 2018-04-24T21:35:22Z Nighthawk 1 /* troubleshooting */ wikitext text/x-wiki ==Unified Console== ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] search is broken ===Gateway & Server View=== To use the MutliDomain view to launch a SmartConsole to the Domain(CMA) for a particular firewall of interest, 1) navigate to Gateways & Server View 2) find the firewall of interest 3) sort by Domain 4) right click the Domain Management object(CMA) in the same domain as the firewall and select View [[file:gateway_view.png]] ===Global Policy Assingment=== [[file:global_assing.png]] ==Policy Layers and Sub-Policies== ==Security Policies View== ===tabbed policies=== ==Publishing Changes== ===unpublished changes=== ==troubleshooting== [[file:session_disconnected.png]] c5fab01a83f1bd20d352fd3bcd16c4c987311377 767 766 2018-04-24T21:31:14Z Nighthawk 1 /* unpublished changes */ wikitext text/x-wiki ==Unified Console== ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] search is broken ===Gateway & Server View=== To use the MutliDomain view to launch a SmartConsole to the Domain(CMA) for a particular firewall of interest, 1) navigate to Gateways & Server View 2) find the firewall of interest 3) sort by Domain 4) right click the Domain Management object(CMA) in the same domain as the firewall and select View [[file:gateway_view.png]] ===Global Policy Assingment=== [[file:global_assing.png]] ==Policy Layers and Sub-Policies== ==Security Policies View== ===tabbed policies=== ==Publishing Changes== ===unpublished changes=== ==troubleshooting== [[file:session_disconnected.png]] 96e3009835dfe017757324300f5ae0b02d903e31 766 765 2018-04-24T21:30:44Z Nighthawk 1 /* Policy Layers and Sub-Policies */ wikitext text/x-wiki ==Unified Console== ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] search is broken ===Gateway & Server View=== To use the MutliDomain view to launch a SmartConsole to the Domain(CMA) for a particular firewall of interest, 1) navigate to Gateways & Server View 2) find the firewall of interest 3) sort by Domain 4) right click the Domain Management object(CMA) in the same domain as the firewall and select View [[file:gateway_view.png]] ===Global Policy Assingment=== [[file:global_assing.png]] ==Policy Layers and Sub-Policies== ==Security Policies View== ===tabbed policies=== ==Publishing Changes== ===unpublished changes=== 8b392c2cc160ed83d2a1aacd09bf7c291fcc5590 765 764 2018-04-24T18:57:38Z Nighthawk 1 wikitext text/x-wiki ==Unified Console== ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] search is broken ===Gateway & Server View=== To use the MutliDomain view to launch a SmartConsole to the Domain(CMA) for a particular firewall of interest, 1) navigate to Gateways & Server View 2) find the firewall of interest 3) sort by Domain 4) right click the Domain Management object(CMA) in the same domain as the firewall and select View [[file:gateway_view.png]] ===Global Policy Assingment=== [[file:global_assing.png]] ==Policy Layers and Sub-Policies== ==Publishing Changes== ===unpublished changes=== c9d954c831b7fe25b756298da8bd9eda8316e822 764 761 2018-04-24T17:24:02Z Nighthawk 1 /* Gateway & Server View */ wikitext text/x-wiki ==Unified Console== ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] search is broken ===Gateway & Server View=== To use the MutliDomain view to launch a SmartConsole to the Domain(CMA) for a particular firewall of interest, 1) navigate to Gateways & Server View 2) find the firewall of interest 3) sort by Domain 4) right click the Domain Management object(CMA) in the same domain as the firewall and select View [[file:gateway_view.png]] ===Global Policy Assingment=== [[file:global_assing.png]] ==Policy Layers and Sub-Policies== 6307242350a4765ee2d3ed88de8f9723f1716aba 761 760 2018-04-24T17:14:09Z Nighthawk 1 /* Global Policy Assingment */ wikitext text/x-wiki ==Unified Console== ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] search is broken ===Gateway & Server View=== To use the MutliDomain view to launch a SmartConsole to the Domain(CMA) for a particular firewall of interest, 1) navigate to Gateways & Server View 2) find the firewall of interest 3) set Columns: to Management 4) sort by Domain 5) right click the Domain/CMA/Management object of interest and select View [[file:gateway_view.png]] ===Global Policy Assingment=== [[file:global_assing.png]] ==Policy Layers and Sub-Policies== 6b6d6c2945ebd28423b030c2f68cab5675e5dbac 760 758 2018-04-24T16:12:29Z Nighthawk 1 wikitext text/x-wiki ==Unified Console== ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] search is broken ===Global Policy Assingment=== [[file:global_assing.png]] ==Policy Layers and Sub-Policies== 73dd2ad3131f7d1c1c59c85344300d81d30ffe23 758 754 2018-04-24T15:31:02Z Nighthawk 1 wikitext text/x-wiki ==Unified Console== ===Multi-Domain login=== [[file:mds_login.png]] ===MultiDomain View=== [[file:multidomain_view.png]] ===Global Policy Assingment=== [[file:global_assing.png]] 7ef317b3550e3ee781cda4f3a7b8341950d73b87 754 2018-04-24T15:27:54Z Nighthawk 1 Created page with "==Unified Console== ===Multi-Domain login=== ===MultiDomain View=== ===Global Policy===" wikitext text/x-wiki ==Unified Console== ===Multi-Domain login=== ===MultiDomain View=== ===Global Policy=== 710e328d9c5fbf79a26883d89607d7c7a90c3b09 r80 api notes 0 220 911 910 2024-06-09T07:05:30Z Nighthawk 1 wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ===access rules=== ====notes before you begin==== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====show access layers?==== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ====examples==== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ====adding rules==== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ===log queries=== mgmt_cli -s id.txt show-logs new-query.filter "src:10.0.0.11 and service:https" new-query.time-frame last-hour new-query.max-logs-per-request 1 --format json | jq '.logs[] | {time: .time,fw: .orig,log_server: .orig_log_server,policy: .policy_name,action: .action,source: .src,dest: .dst,service: .service}' { "time": "2023-06-09T06:20:20Z", "fw": "my_cp_fw1", "log_server": "192.168.1.88", "policy": "super_secure", "action": "Accept", "source": "10.0.0.11", "dest": "204.79.197.203", "service": "443" } ==jq== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' get values without keys example with keys... '''| jq '.objects[] | {name: .name,type: .type}'''' { "name": chkp-fw", "type": "simple-gateway" } { "name": "chkp-mgmt", "type": "checkpoint-host" } without keys, change from curly {} to square [] brackets and drop key references '''| jq '.objects[] | [.name, .type]'''' [ "chkp-fw", "simple-gateway" ] [ "chkp-mgmt", "checkpoint-host" ] print all values on the same line, comma separated '''| jq '.objects[] | [.name, .type] | join (",")''' "chkp-fw simple-gateway" "chkp-mgmt,checkpoint-host" ==curl== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://192.168.1.10:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" $ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive''' { "message" : "OK" } ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] d64b1dbb90e18251831989db4d5862075b3826df 910 906 2024-06-09T07:04:51Z Nighthawk 1 wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ===access rules=== ====notes before you begin==== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====show access layers?==== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ====examples==== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ====adding rules==== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ===log queries=== mgmt_cli -s id.txt show-logs new-query.filter "src:10.0.0.11 and service:https" new-query.time-frame last-hour new-query.max-logs-per-request 1 --format json | jq '.logs[] | {time: .time,fw: .orig,log_server: .orig_log_server,policy: .policy_name,action: .action,source: .src,dest: .dst,service: .service}' { "time": "2023-06-09T06:20:20Z", "fw": "my_cp_fw1", "log_server": "192.168.1.88", "policy": "super_secure", "action": "Accept", "source": "10.0.0.11", "dest": "204.79.197.203", "service": "443" } ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' get values without keys example with keys... '''| jq '.objects[] | {name: .name,type: .type}'''' { "name": chkp-fw", "type": "simple-gateway" } { "name": "chkp-mgmt", "type": "checkpoint-host" } without keys, change from curly {} to square [] brackets and drop key references '''| jq '.objects[] | [.name, .type]'''' [ "chkp-fw", "simple-gateway" ] [ "chkp-mgmt", "checkpoint-host" ] print all values on the same line, comma separated '''| jq '.objects[] | [.name, .type] | join (",")''' "chkp-fw simple-gateway" "chkp-mgmt,checkpoint-host" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://192.168.1.10:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" $ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive''' { "message" : "OK" } ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] 5db64e28ce6f75854136c60a100fa0cba6be0d8f 906 905 2024-05-02T04:18:22Z Nighthawk 1 /* jq */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' get values without keys example with keys... '''| jq '.objects[] | {name: .name,type: .type}'''' { "name": chkp-fw", "type": "simple-gateway" } { "name": "chkp-mgmt", "type": "checkpoint-host" } without keys, change from curly {} to square [] brackets and drop key references '''| jq '.objects[] | [.name, .type]'''' [ "chkp-fw", "simple-gateway" ] [ "chkp-mgmt", "checkpoint-host" ] print all values on the same line, comma separated '''| jq '.objects[] | [.name, .type] | join (",")''' "chkp-fw simple-gateway" "chkp-mgmt,checkpoint-host" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://192.168.1.10:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" $ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive''' { "message" : "OK" } ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] 5cc77d8505569683083ed0bb95aecf0d0ba4923c 905 904 2024-05-02T04:18:00Z Nighthawk 1 /* jq */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' get values without keys example with keys... '''| jq '.objects[] | {name: .name,type: .type}'''' { "name": chkp-fw", "type": "simple-gateway" } { "name": "chkp-mgmt", "type": "checkpoint-host" } without keys, change from curly {} to square [] brackets and drop key references '''| jq '.objects[] | [.name, .type]'''' [ "chkp-fw", "simple-gateway" ] [ "chkp-mgmt", "checkpoint-host" ] print all values on the same line, comma separated '''| jq '.objects[] | [.name, .type] | join (",")''' "chkp-fw simple-gateway" "chkp-mgmt,checkpoint-host" "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://192.168.1.10:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" $ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive''' { "message" : "OK" } ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] 4872d7edf27012909d51494b6e13331d4c092d6b 904 903 2024-05-02T04:17:39Z Nighthawk 1 /* jq */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' get values without keys example with keys... '''| jq '.objects[] | {name: .name,type: .type}'''' { "name": chkp-fw", "type": "simple-gateway" } { "name": "chkp-mgmt", "type": "checkpoint-host" } without keys, change from curly {} to square [] brackets and drop key references | jq '.objects[] | [.name, .type]' [ "chkp-fw", "simple-gateway" ] [ "chkp-mgmt", "checkpoint-host" ] print all values on the same line, comma separated | jq '.objects[] | [.name, .type] | join (",") "chkp-fw simple-gateway" "chkp-mgmt,checkpoint-host" "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://192.168.1.10:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" $ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive''' { "message" : "OK" } ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] 4c406a188c14466968ab4249a8a8aac4d9c13b9a 903 902 2024-05-02T04:17:11Z Nighthawk 1 /* jq */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' get values without keys example with keys... | jq '.objects[] | {name: .name,type: .type}' { "name": chkp-fw", "type": "simple-gateway" } { "name": "chkp-mgmt", "type": "checkpoint-host" } without keys, change from curly {} to square [] brackets and drop key references | jq '.objects[] | [.name, .type]' [ "chkp-fw", "simple-gateway" ] [ "chkp-mgmt", "checkpoint-host" ] print all values on the same line, comma separated | jq '.objects[] | [.name, .type] | join (",") "chkp-fw simple-gateway" "chkp-mgmt,checkpoint-host" "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://192.168.1.10:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" $ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive''' { "message" : "OK" } ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] b21a2c48f55abd7b090986b706a18ab4877fe4e5 902 901 2024-05-02T04:07:15Z Nighthawk 1 /* jq */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' get values without keys example with keys... | jq '.objects[] | {name: .name,type: .type}' without keys, change from curly {} to square [] brackets and drop key references | jq '.objects[] | [.name, .type]' print all values on the same line, comma separated | jq '.objects[] | [.name, .type] | join (",") "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://192.168.1.10:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" $ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive''' { "message" : "OK" } ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] 826be377c56cd2a042f9a2a2e36edb2e67ff0d6d 901 900 2024-04-01T19:25:28Z Nighthawk 1 /* curl */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://192.168.1.10:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" $ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive''' { "message" : "OK" } ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] 53e70b176ef40e7cafb8b6fad7103df079db2e2d 900 899 2024-03-19T16:24:06Z Nighthawk 1 /* curl */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://10.128.1.81:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" $ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive''' { "message" : "OK" } ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] b075a30ba753b3419866831f8d4d6e3123b41b35 899 898 2024-03-19T16:23:09Z Nighthawk 1 /* curl */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://10.128.1.81:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" $ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: $SESSIONID" -d '{ }' https://192.168.1.10:443/web_api/keepalive''' { "message" : "OK" } ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] 0aec84146ee509d45c9bb7fd441abb150481f6e3 898 897 2024-03-19T16:15:28Z Nighthawk 1 /* curl */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://10.128.1.81:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" lol ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] c5d95d3e5ba2d9ee3fc8c6981da4dcb2ca5e6f29 897 896 2024-03-19T16:14:52Z Nighthawk 1 /* curl */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://10.128.1.81:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] f787933985d9e09912f777be7a6ef2d6491d2c52 896 895 2024-03-19T16:14:44Z Nighthawk 1 /* curl */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $'''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://10.128.1.81:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] d9934e100e3198a99c51f29b55e2d68b5a1979fe 895 894 2024-03-19T16:14:22Z Nighthawk 1 /* curl */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login $== curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login == { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://10.128.1.81:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] 740e1abeedb696295fc62d41a0f0862022570bdd 894 893 2024-03-19T16:13:45Z Nighthawk 1 /* curl */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://10.128.1.81:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] 87a375ea999954c7e9841597437cf59fada0074a 893 892 2024-02-16T16:38:52Z Nighthawk 1 /* jq examples */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==examples== ===jq=== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ===curl=== curl -X POST -H "Content-Type: application/json" \ -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' \ https://jsonplaceholder.typicode.com/posts curl -X -H POST -H "Content-Type: application/json" \ -d '{"user" : "jsmith", "password" : "abc123"}' \ 192.168.1.10:443/login curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://10.128.1.81:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] 55be6529e3f9ab171e77a8dd40de0c0cbce94d02 892 848 2024-02-16T16:22:45Z Nighthawk 1 wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==jq examples== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] 36d989bd0a3629ba61fc76c64f789594d10ed726 848 830 2020-11-06T19:19:59Z Nighthawk 1 /* adding rules */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ===mds / domain=== get list of domains,objects(management and firewalls),object type mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 ==jq examples== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] 3cae6aa2b48490ac18cf62383a4899a382eb497b 830 827 2019-05-26T04:53:25Z Nighthawk 1 /* examples */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ===adding rules=== mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" ==jq examples== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] d126fd720481cc97b3e96c165dec718a208a6359 827 826 2019-04-25T23:45:11Z Nighthawk 1 /* links */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ==jq examples== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] a90f9d89fab9cf01e899437e5c20fcd1542bfd1b 826 822 2019-04-25T23:44:32Z Nighthawk 1 /* links */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ==jq examples== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ==links== [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] 9fbb9a6a8ef5fa5630566c52bf3a77126c4c1eef 822 821 2018-08-12T16:45:47Z Nighthawk 1 /* jq examples */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ==jq examples== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' get cluster member policy installation targets | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 313040d1b6f28bee897404cb9252b5098cb522f2 821 820 2018-08-03T15:44:01Z Nighthawk 1 /* examples */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' ==jq examples== compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' filter objects dictary for uid for accept action jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' f961290e4ee7239d6101968596220dfcaa3b22cd 820 819 2018-08-03T15:27:03Z Nighthawk 1 /* examples */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 04fcb487cce851beda19d7ba20bdd4473e773caf 819 818 2018-08-03T15:26:27Z Nighthawk 1 /* examples */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' compound jq select using and/or (note: contains returns true/false) | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' and another one... | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("Skybox") or contains("skybox") | not )) and (.enabled == false)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 4ed421a8cf8dccea786ca4f994529d6f62a6086d 818 817 2018-08-03T15:00:17Z Nighthawk 1 /* examples */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' compound jq select using and/or | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' b762effb0a3ee012b9aa3828ac8c1b8d44d13a60 817 791 2018-08-03T10:47:31Z Nighthawk 1 /* examples */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 22293cea8ea17f326a39343e3fa1bbd1725e08e8 791 790 2018-06-11T15:56:09Z Nighthawk 1 /* examples */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 5ad87f00f6040afa8be08ed804534f7a725a2111 790 788 2018-06-11T15:48:54Z Nighthawk 1 /* logging in */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt same but read only # mgmt_cli login user admin read-only true > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 1777e2d98a1225e1eba68ffa207c8dd087eb210b 788 787 2018-05-17T20:54:25Z Nighthawk 1 /* examples */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 3d19563f9b845bfeeabd99839719ceb6d9d6f71f 787 786 2018-05-17T20:54:07Z Nighthawk 1 /* examples */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 3fb71ca18d9d642ddc45dc468acef5ef37d3bd6c 786 753 2018-05-17T20:53:50Z Nighthawk 1 /* examples */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' eba9f4cf63f14cf51e47766d5fe10a26241fdd6a 753 752 2018-04-22T22:02:26Z Nighthawk 1 /* status check */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' edb3db25e9aa4d9552e5869983dcee6371cd06a3 752 751 2018-04-22T22:02:12Z Nighthawk 1 /* status check */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 72d965072808116a0c361783ed0572e9de1b3786 751 750 2018-04-22T22:01:48Z Nighthawk 1 /* status check */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' f79f1a33a18f38736c02ff4171fee31e5a3a77d7 750 749 2018-04-22T22:00:48Z Nighthawk 1 /* status check */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: <nowiki>-----------------</nowiki> Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: <nowiki>----------------</nowiki> JETTY Internal Port: 50276 APACHE Gaia Port: 443 <nowiki>-------------------------------------------------</nowiki> Overall API Status: Started <nowiki>-------------------------------------------------</nowiki> API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 7500afe8d250c669dfed8d1907223ecd2c7f3df0 749 748 2018-04-22T21:59:29Z Nighthawk 1 /* status check */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: --------------------- Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information <nowiki>-------------------------------------------------</nowiki> API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: ------------------- JETTY Internal Port: 50276 APACHE Gaia Port: 443 -------------------------------------------- Overall API Status: Started -------------------------------------------- API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 4f2f7182f60482e9ebbe4e0447dc5d3106b9abae 748 747 2018-04-22T21:58:49Z Nighthawk 1 /* enabling for remote IPs */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] it can also be enabled via mgmt_cli under "set api-settings" ===status check=== [Expert@chmkmgr1:0]# '''api status''' API Settings: --------------------- Accessibility: Require all granted Automatic Start: Enabled Processes: Name State PID More Information ------------------------------------------------- API Started 10763 CPM Started 10460 Check Point Security Management Server is running and ready FWM Started 10007 Port Details: ------------------- JETTY Internal Port: 50276 APACHE Gaia Port: 443 -------------------------------------------- Overall API Status: Started -------------------------------------------- API readiness test SUCCESSFUL. The server is up and ready to receive connections ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 0ea7828974e0c917106a15d6acdcb81c34a9025f 747 746 2018-04-22T21:39:51Z Nighthawk 1 /* enabling for remote IPs */ wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done through the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 07707046e509cba2bdf02c2f9103a68688d8adf0 746 744 2018-04-22T21:39:32Z Nighthawk 1 wikitext text/x-wiki ==Management server API setup== ===enabling for remote IPs=== done through the smartconsole [[file:cp_mgmt_api_enable_all_IPs.png]] ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 1ed0965070272301214ed9533700dc397a0a93f0 744 743 2018-04-20T15:16:25Z Nighthawk 1 /* examples */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== show number of rules in policy mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total' display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' c213cb5bcc78fa609fa17b048aa77f89107380dd 743 740 2018-04-20T15:02:16Z Nighthawk 1 /* show access layers? */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network"''' "Network" where "Network" represents the default policy package Standard ===examples=== display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' c5a84fa750bd43846f3752a434106193593e2be4 740 739 2018-04-04T16:17:19Z Nighthawk 1 /* notes before you begin */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ====rule numbers==== ===show access layers?=== [Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network" where "Network" represents the default policy package Standard ===examples=== display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 5e76940a0e83d3285db0ba6992203b73b7705035 739 738 2018-04-04T16:16:59Z Nighthawk 1 /* rule numbers */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ===show access layers?=== [Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network" where "Network" represents the default policy package Standard ===examples=== display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' d70172e686a3115513a5d242c0e3165df311ce4c 738 737 2018-04-04T16:16:09Z Nighthawk 1 /* display only the rule number for a rule with uid = xxx */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ===show access layers?=== [Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network" where "Network" represents the default policy package Standard ===rule numbers=== display only the rule number for a rule with uid = xxx # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 02869835bb00270342fcf93715d7dd1417aa3806 737 736 2018-03-28T18:55:59Z Nighthawk 1 /* access rules */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | jq '.rulebase[]' if you DO HAVE headers, to output the rules you need | jq '.rulebase[] | .rulebase[]' ===show access layers?=== [Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network" where "Network" represents the default policy package Standard ===display only the rule number for a rule with uid = xxx=== mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' ecb55a38488e5a5c10e7b75026bd05ee84a1cc75 736 735 2018-03-28T18:41:45Z Nighthawk 1 /* display rule by number */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as show in by the sho access-layers command below ===show access layers?=== [Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network" where "Network" represents the default policy package Standard ===display only the rule number for a rule with uid = xxx=== mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' c56254359ba7436d3f312251ab2af854022539f9 735 734 2018-03-28T17:57:40Z Nighthawk 1 /* display only the rule number for a rule with uid = xxx */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as show in by the sho access-layers command below ===show access layers?=== [Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network" where "Network" represents the default policy package Standard ===display rule by number=== show rule 1 from policy named Standard mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[0]' ===display only the rule number for a rule with uid = xxx=== mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" display src/dst/service from rule with uid for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' c863b8877ee7aef5296d3e46dab1e272e2f1e22e 734 729 2018-03-28T17:53:50Z Nighthawk 1 /* display only the rule number for a rule with uid = xxx */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as show in by the sho access-layers command below ===show access layers?=== [Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network" where "Network" represents the default policy package Standard ===display rule by number=== show rule 1 from policy named Standard mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[0]' ===display only the rule number for a rule with uid = xxx=== mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" alternate(inferior) way with jq mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 2a9b4ab9eebaead9c0eb73e54cd05f2712426400 729 728 2018-03-22T21:08:56Z Nighthawk 1 /* links */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as show in by the sho access-layers command below ===show access layers?=== [Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network" where "Network" represents the default policy package Standard ===display rule by number=== show rule 1 from policy named Standard mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[0]' ===display only the rule number for a rule with uid = xxx=== mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] parsing json return output [https://stedolan.github.io/jq/ jq] [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli' 85d657ae8746862883ffe57546cbc6a7596a4050 728 727 2018-03-22T21:04:30Z Nighthawk 1 /* links */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as show in by the sho access-layers command below ===show access layers?=== [Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network" where "Network" represents the default policy package Standard ===display rule by number=== show rule 1 from policy named Standard mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[0]' ===display only the rule number for a rule with uid = xxx=== mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [https://stedolan.github.io/jq/ jq] [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] 22f6b41439152208ed92e1f84c20d8e97eb1fdd9 727 726 2018-03-22T19:26:09Z Nighthawk 1 /* access rules */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===notes before you begin=== when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name> as show in by the sho access-layers command below ===show access layers?=== [Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network" where "Network" represents the default policy package Standard ===display rule by number=== show rule 1 from policy named Standard mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[0]' ===display only the rule number for a rule with uid = xxx=== mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [https://stedolan.github.io/jq/ jq] f30bd5ec75de2be0b8a3f37670a0f455df481e4d 726 725 2018-03-22T18:18:15Z Nighthawk 1 /* display only the rule number for a rule with uid = xxx */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===display rule by number=== show rule 1 from policy named Standard mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[0]' ===display only the rule number for a rule with uid = xxx=== mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' "rulenum": 1, "comment": "hahahlol" ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [https://stedolan.github.io/jq/ jq] 6a2f343119919f4eb31287d26d42cb1dee214166 725 724 2018-03-22T18:17:47Z Nighthawk 1 /* display only the rule number for a rule with uid = xxx */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===display rule by number=== show rule 1 from policy named Standard mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[0]' ===display only the rule number for a rule with uid = xxx=== mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' <nowiki>{ "rulenum": 1, "comment": "hahahlol" } </nowiki> ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [https://stedolan.github.io/jq/ jq] b613047fa1fd2603dfc62d5d566e277a8f44dfc7 724 723 2018-03-22T18:17:20Z Nighthawk 1 /* display only the rule number for a rule with uid = xxx */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===display rule by number=== show rule 1 from policy named Standard mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[0]' ===display only the rule number for a rule with uid = xxx=== mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' <nowiki>{ "rulenum": 1, "comment": "hahahlol" } </nowiki> ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [https://stedolan.github.io/jq/ jq] 5cf8a786875d857f3f2dd74220cc867ec30bbc14 723 722 2018-03-22T18:16:53Z Nighthawk 1 /* ==display rule by number */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===display rule by number=== show rule 1 from policy named Standard mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[0]' ===display only the rule number for a rule with uid = xxx=== mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 display rule number with comment containing a string haha mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' { "rulenum": 1, "comment": "hahahlol" } ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [https://stedolan.github.io/jq/ jq] e075a97acf079840acd2868c73ba544c07745c87 722 721 2018-03-22T17:56:12Z Nighthawk 1 /* display rule by number */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==access rules== ===display rule by number= show rule 1 from policy named Standard mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[0]' ===display only the rule number for a rule with uid = xxx=== mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1 ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [https://stedolan.github.io/jq/ jq] c7918dc19f4e10c369ae96c3672eb387bdf73db1 721 720 2018-03-22T17:49:52Z Nighthawk 1 wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ===display rule by number=== show rule 1 from policy named Standard mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[0]' ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [https://stedolan.github.io/jq/ jq] 567875f1e11035294496bf9d841e304f6ab11082 720 712 2018-03-22T17:25:00Z Nighthawk 1 wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [https://stedolan.github.io/jq/ jq] e600d75d33d1ed91c8f0dbed1ac4f683b8795102 712 711 2018-01-31T22:54:57Z Nighthawk 1 /* search existing object */ wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' return only objects with the EXACT ip # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [phttps://stedolan.github.io/jq/ jq] c30114c1d0ff1062116810b628b9bbfc0638ffe9 711 709 2018-01-31T22:32:33Z Nighthawk 1 wikitext text/x-wiki ==examples== ===logging in=== login and redirect session info to a file for reuse # mgmt_cli login user admin > id.txt ===search existing object=== search objects by IP # mgmt_cli -s id.txt show objects filter "10.0.0.0" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' ==links== [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [phttps://stedolan.github.io/jq/ jq] 7e063ee284bb74e574eeb77d2896061f0c1817a6 709 708 2018-01-29T15:31:14Z Nighthawk 1 Nighthawk moved page [[r80 api reference]] to [[r80 api notes]] wikitext text/x-wiki [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [phttps://stedolan.github.io/jq/ jq] d4ae5d60063dc4b465d133fc7b7bb263a739fca2 708 695 2018-01-29T15:30:57Z Nighthawk 1 wikitext text/x-wiki [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] parsing json return output [phttps://stedolan.github.io/jq/ jq] d4ae5d60063dc4b465d133fc7b7bb263a739fca2 695 2017-10-04T15:18:34Z Nighthawk 1 Created page with "[https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference]" wikitext text/x-wiki [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference] 4e6a06c454ac611027b2744e8934410cf70a4312 r80 api reference 0 226 710 2018-01-29T15:31:15Z Nighthawk 1 Nighthawk moved page [[r80 api reference]] to [[r80 api notes]] wikitext text/x-wiki #REDIRECT [[r80 api notes]] 979a7bbfd543ea08ddc32075cbd77ad7e8ec02fa reboot logs 0 266 891 2024-01-17T15:30:03Z Nighthawk 1 Created page with "reboot log location /var/log/reboot.log especially significant for maestro, config reboot reasons... /var/log/configuration_reboot_reason.log" wikitext text/x-wiki reboot log location /var/log/reboot.log especially significant for maestro, config reboot reasons... /var/log/configuration_reboot_reason.log 30e864f03e6483893263c99234018c466159b588 revoking Check Point administrator certificates 0 181 526 525 2014-07-25T17:35:42Z Nighthawk 1 /* solution */ wikitext text/x-wiki == problem description == versions: Check Point R65 - R75 (guessing) products: reported on Provider-1, but could be relavant for a Smartcenter / Smart-1 Sometimes the need arises to revoke a user's certificate via CLI. One such situation is one where an administrator account was deleted without first revoking the certificate in the GUI. This will delete the user but leave the user certificate behind. If you try to recreate a user with the same name and generate a certificate, sometimes the certificate generation will fail. An exact error message is not documented here. == solution == no return value from above, so account non-existent 1. list current certs for user [Expert@P1server]# '''cpca_client lscert | grep -A 2 -i johnsmith | grep -C 1 -i valid ''' -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Valid''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- 2. revoke valid certs by referencing the CNs from above [Expert@P1server]# '''cpca_client revoke_cert -n "CN=johnsmith,OU=users,O=P1server..rsyqv9"''' Certificate was revoked successfully 3. verify all certs have a status of revoked [Expert@P1server]# '''cpca_client lscert | grep -A 2 -i johnsmith | grep -C 1 -i valid''' -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Revoked''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- done 525 524 2014-07-25T17:35:02Z Nighthawk 1 /* solution */ wikitext text/x-wiki == problem description == versions: Check Point R65 - R75 (guessing) products: reported on Provider-1, but could be relavant for a Smartcenter / Smart-1 Sometimes the need arises to revoke a user's certificate via CLI. One such situation is one where an administrator account was deleted without first revoking the certificate in the GUI. This will delete the user but leave the user certificate behind. If you try to recreate a user with the same name and generate a certificate, sometimes the certificate generation will fail. An exact error message is not documented here. == solution == no return value from above, so account non-existent 1. list current certs for user [Expert@P1server]# '''cpca_client lscert | grep -A 2 -i johnsmith | grep -C 1 -i valid ''' -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Valid''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- 2. revoke valid certs by referencing the CNs from above [Expert@P1server]# '''cpca_client revoke_cert -n "CN=johnsmith,OU=users,O=P1server..rsyqv9"''' Certificate was revoked successfully 3. verify all certs have a status of revoked [Expert@P1server]# '''cpca_client lscert | grep -A 2 -i johnsmith | grep -C 1 -i valid''' -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Revoked''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- done 524 523 2014-07-25T17:34:37Z Nighthawk 1 /* solution */ wikitext text/x-wiki == problem description == versions: Check Point R65 - R75 (guessing) products: reported on Provider-1, but could be relavant for a Smartcenter / Smart-1 Sometimes the need arises to revoke a user's certificate via CLI. One such situation is one where an administrator account was deleted without first revoking the certificate in the GUI. This will delete the user but leave the user certificate behind. If you try to recreate a user with the same name and generate a certificate, sometimes the certificate generation will fail. An exact error message is not documented here. == solution == no return value from above, so account non-existent 1. list current certs for user [Expert@P1server]# '''cpca_client lscert | grep -A 2 -i johnsmith''' | grep -C 1 -i valid -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Valid''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- 2. revoke valid certs by referencing the CNs from above [Expert@P1server]# '''cpca_client revoke_cert -n "CN=johnsmith,OU=users,O=P1server..rsyqv9"''' Certificate was revoked successfully 3. verify all certs have a status of revoked [Expert@P1server]# cpca_client lscert | grep -A 2 -i johnsmith | grep -C 1 -i valid -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Revoked''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- done 523 522 2014-07-25T17:24:32Z Nighthawk 1 /* problem description */ wikitext text/x-wiki == problem description == versions: Check Point R65 - R75 (guessing) products: reported on Provider-1, but could be relavant for a Smartcenter / Smart-1 Sometimes the need arises to revoke a user's certificate via CLI. One such situation is one where an administrator account was deleted without first revoking the certificate in the GUI. This will delete the user but leave the user certificate behind. If you try to recreate a user with the same name and generate a certificate, sometimes the certificate generation will fail. An exact error message is not documented here. == solution == no return value from above, so account non-existent 1. list current certs for user [Expert@P1server]# '''cpca_client lscert | grep -A 2 -i johnsmith''' Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 Status = Revoked Kind = SIC Serial = 26247 DP = 0 Not_Before: Mon Dec 9 20:30:28 2013 Not_After: Sun Dec 9 20:30:28 2018 -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Valid''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- 2. revoke valid certs by referencing the CNs from above [Expert@P1server]# '''cpca_client revoke_cert -n "CN=johnsmith,OU=users,O=P1server..rsyqv9"''' Certificate was revoked successfully 3. verify all certs have a status of revoked [Expert@P1server]# cpca_client lscert | grep -A 2 -i johnsmith Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Revoked''' Kind = SIC Serial = 26247 DP = 0 Not_Before: Mon Dec 9 20:30:28 2013 Not_After: Sun Dec 9 20:30:28 2018 -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Revoked''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- done 522 521 2014-07-25T17:24:24Z Nighthawk 1 /* problem description */ wikitext text/x-wiki == problem description == versions: Check Point R65 - R75 (guessing) products: reported on Provider-1, but could be relavant for a Smartcenter / Smart-1 Sometimes the need arises to revoke a user's certificate via CLI. One such situation is one where an administrator account was deleted without first revoking the certificate in the GUI. This will delete the user but leave the user certificate behind. If you try to recreate a user with the same name and generate a certificate, sometimes the certificate generation will fail. An exact error message is not documented here. == solution == no return value from above, so account non-existent 1. list current certs for user [Expert@P1server]# '''cpca_client lscert | grep -A 2 -i johnsmith''' Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 Status = Revoked Kind = SIC Serial = 26247 DP = 0 Not_Before: Mon Dec 9 20:30:28 2013 Not_After: Sun Dec 9 20:30:28 2018 -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Valid''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- 2. revoke valid certs by referencing the CNs from above [Expert@P1server]# '''cpca_client revoke_cert -n "CN=johnsmith,OU=users,O=P1server..rsyqv9"''' Certificate was revoked successfully 3. verify all certs have a status of revoked [Expert@P1server]# cpca_client lscert | grep -A 2 -i johnsmith Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Revoked''' Kind = SIC Serial = 26247 DP = 0 Not_Before: Mon Dec 9 20:30:28 2013 Not_After: Sun Dec 9 20:30:28 2018 -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Revoked''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- done 521 520 2014-07-25T17:12:46Z Nighthawk 1 wikitext text/x-wiki == problem description == Sometimes the need arises to revoke a user's certificate via CLI. One such situation is one where an administrator account was deleted without first revoking the certificate in the GUI. This will delete the user but leave the user certificate behind. If you try to recreate a user with the same name and generate a certificate, the certificate generation will fail. == solution == no return value from above, so account non-existent 1. list current certs for user [Expert@P1server]# '''cpca_client lscert | grep -A 2 -i johnsmith''' Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 Status = Revoked Kind = SIC Serial = 26247 DP = 0 Not_Before: Mon Dec 9 20:30:28 2013 Not_After: Sun Dec 9 20:30:28 2018 -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Valid''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- 2. revoke valid certs by referencing the CNs from above [Expert@P1server]# '''cpca_client revoke_cert -n "CN=johnsmith,OU=users,O=P1server..rsyqv9"''' Certificate was revoked successfully 3. verify all certs have a status of revoked [Expert@P1server]# cpca_client lscert | grep -A 2 -i johnsmith Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Revoked''' Kind = SIC Serial = 26247 DP = 0 Not_Before: Mon Dec 9 20:30:28 2013 Not_After: Sun Dec 9 20:30:28 2018 -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Revoked''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- done 520 2014-07-25T16:54:45Z Nighthawk 1 Created page with " == problem description == Sometimes the need arises to revoke a user's certificate via CLI. One such situation is one where an administrator account was deleted without fir..." wikitext text/x-wiki == problem description == Sometimes the need arises to revoke a user's certificate via CLI. One such situation is one where an administrator account was deleted without first revoking the certificate in the GUI. This will delete the user but leave the user certificate behind. If you try to recreate a user with the same name and generate a certificate, the certificate generation will fail. == solution == 1. verify the user account does NOT currently exist... [Expert@P1server]# cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__ | grep -i johnsmith no return value from above, so account non-existent 2. list current certs for user [Expert@P1server]# '''cpca_client lscert | grep -A 2 -i johnsmith''' Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 Status = Revoked Kind = SIC Serial = 26247 DP = 0 Not_Before: Mon Dec 9 20:30:28 2013 Not_After: Sun Dec 9 20:30:28 2018 -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Valid''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- 3. revoke valid certs by referencing the CNs from above [Expert@P1server]# '''cpca_client revoke_cert -n "CN=johnsmith,OU=users,O=P1server..rsyqv9"''' Certificate was revoked successfully 4. verify all certs have a status of revoked [Expert@P1server]# cpca_client lscert | grep -A 2 -i johnsmith Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Revoked''' Kind = SIC Serial = 26247 DP = 0 Not_Before: Mon Dec 9 20:30:28 2013 Not_After: Sun Dec 9 20:30:28 2018 -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 '''Status = Revoked''' Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 -- done rewriting grub mbr 0 217 677 676 2017-08-15T22:01:45Z Nighthawk 1 wikitext text/x-wiki grub> '''root (hd0,0)''' grub> '''setup (hd0)''' Checking if "/boot/grub/stage1" exists... no Checking if "/grub/stage1" exists... yes Checking if "/grub/stage2" exists... yes Checking if "/grub/e2fs_stage1_5" exists... yes Running "embed /grub/e2fs_stage1_5 (hd0)"... 15 sectors are embedded. succeeded Running "install /grub/stage1 (hd0) (hd0)1+15 p (hd0,0)/grub/stage2 /grub/grub.conf"...succeeded Done. 4072e8b378575237c7b5eea12833e5148dc3d110 676 675 2017-08-15T22:01:24Z Nighthawk 1 wikitext text/x-wiki grub> root (hd0,0) grub> setup (hd0) Checking if "/boot/grub/stage1" exists... no Checking if "/grub/stage1" exists... yes Checking if "/grub/stage2" exists... yes Checking if "/grub/e2fs_stage1_5" exists... yes Running "embed /grub/e2fs_stage1_5 (hd0)"... 15 sectors are embedded. succeeded Running "install /grub/stage1 (hd0) (hd0)1+15 p (hd0,0)/grub/stage2 /grub/grub.conf"...succeeded Done. e472009a8a2724b638b49c585ffc535bb56bf1ce 675 672 2017-08-15T22:00:37Z Nighthawk 1 wikitext text/x-wiki grub> root (hd0,0) grub> setup (hd0) Checking if "/boot/grub/stage1" exists... no Checking if "/grub/stage1" exists... yes Checking if "/grub/stage2" exists... yes Checking if "/grub/e2fs_stage1_5" exists... yes Running "embed /grub/e2fs_stage1_5 (hd0)"... 15 sectors are embedded. succeeded Running "install /grub/stage1 (hd0) (hd0)1+15 p (hd0,0)/grub/stage2 /grub/grub.conf"...succeeded Done. grub> b28d1394468fe51d1832aaa89b15731bab7ad377 672 2017-08-09T04:42:41Z Nighthawk 1 Created page with " grub> '''root (hd0,0)''' grub> '''setup (hd0,0)''' Checking if "/boot/grub/stage1" exists... no Checking if "/grub/stage1" exists... yes Checking if "/grub/stage2" exis..." wikitext text/x-wiki grub> '''root (hd0,0)''' grub> '''setup (hd0,0)''' Checking if "/boot/grub/stage1" exists... no Checking if "/grub/stage1" exists... yes Checking if "/grub/stage2" exists... yes Checking if "/grub/e2fs_stage1_5" exists... yes Running "embed /grub/e2fs_stage1_5 (hd0,0)"... failed (this is not fatal) Running "embed /grub/e2fs_stage1_5 (hd0,0)"... failed (this is not fatal) Running "install /grub/stage1 (hd0,0) /grub/stage2 p /grub/grub.conf "... succ eeded Done. grub> 58ed0c0030377828871d9029c96b65cb7fafb8af running SmartConsole in wine on linux 0 169 487 486 2014-05-27T02:30:34Z Nighthawk 1 /* links */ wikitext text/x-wiki == versions == wine: 1.7.18 winetricks: 20140302 smartconsole: R77.10_T131_B990150213 O.S.: gentoo linux == prerequisites == install wine and winetricks on your distro == wine setup == '''create a 32 bit wineprefix''' (if you don't already have one) command WINEARCH=win32 WINEPREFIX=/path/to/wineprefix winecfg example $ WINEARCH=win32 WINEPREFIX=$HOME/.wine32 winecfg set windows version to Windows7 [[file:wine_smartconsole_install-winver.png]] '''set environment''' $ export WINEPREFIX=$HOME/.wine32 $ echo $WINEPREFIX /home/jsmith/.wine32 Install .net 2.0 SP2 using winetricks $ winetricks dotnet20sp2 ...you should see the dot net windows install, license accept windows. It will go through the 2.0 and then the 2.0 SP2 installs. $ winetricks dotnet40 ... similar to above this one may be optional $ winetricks gdiplus == install smartconsole == $ wine ./Check_Point_SmartConsole_and_SmartDomain_Manager_R77.10_T131_B990150213_Windows.exe You should see something like this... then proceed to install like you would on winblows [[file:wine32_smartconsole_install-ok.png]] If you see something like this... [[file:wine32_smartconsole_install-bad.png]] ... then something is screwed up. The check point installer should not be trying to install the .net packages. We already did that in earlier steps using winetricks. == links == [http://wine-wiki.org/index.php/WINEPREFIX WINEPREFIX info] [http://wiki.winehq.org/FAQ#head-8d9263369d4c6d93a7cbacf2415377778c679d32 How do I create a 32 bit wineprefix on a 64 bit system?] [http://appdb.winehq.org/objectManager.php?iId=3754&sClass=version wine.NET Framework > 2.0] [https://appdb.winehq.org/objectManager.php?sClass=version&iId=17886 wine .NET Framework > 4.0] 486 485 2014-05-27T02:30:16Z Nighthawk 1 wikitext text/x-wiki == versions == wine: 1.7.18 winetricks: 20140302 smartconsole: R77.10_T131_B990150213 O.S.: gentoo linux == prerequisites == install wine and winetricks on your distro == wine setup == '''create a 32 bit wineprefix''' (if you don't already have one) command WINEARCH=win32 WINEPREFIX=/path/to/wineprefix winecfg example $ WINEARCH=win32 WINEPREFIX=$HOME/.wine32 winecfg set windows version to Windows7 [[file:wine_smartconsole_install-winver.png]] '''set environment''' $ export WINEPREFIX=$HOME/.wine32 $ echo $WINEPREFIX /home/jsmith/.wine32 Install .net 2.0 SP2 using winetricks $ winetricks dotnet20sp2 ...you should see the dot net windows install, license accept windows. It will go through the 2.0 and then the 2.0 SP2 installs. $ winetricks dotnet40 ... similar to above this one may be optional $ winetricks gdiplus == install smartconsole == $ wine ./Check_Point_SmartConsole_and_SmartDomain_Manager_R77.10_T131_B990150213_Windows.exe You should see something like this... then proceed to install like you would on winblows [[file:wine32_smartconsole_install-ok.png]] If you see something like this... [[file:wine32_smartconsole_install-bad.png]] ... then something is screwed up. The check point installer should not be trying to install the .net packages. We already did that in earlier steps using winetricks. == links == [http://wine-wiki.org/index.php/WINEPREFIX WINEPREFIX info] [http://wiki.winehq.org/FAQ#head-8d9263369d4c6d93a7cbacf2415377778c679d32 How do I create a 32 bit wineprefix on a 64 bit system?] [http://appdb.winehq.org/objectManager.php?iId=3754&sClass=version wine.NET Framework > 2.0] [https://appdb.winehq.org/objectManager.php?sClass=version&iId=17886 wine .NET Framework > 4.0] 485 482 2014-05-26T20:46:22Z Nighthawk 1 /* install smartconsole */ wikitext text/x-wiki == versions == wine: 1.7.18 winetricks: 20140302 smartconsole: R77.10_T131_B990150213 O.S.: gentoo linux == prerequisites == install wine and winetricks on your distro == wine setup == '''create a 32 bit wineprefix''' (if you don't already have one) command WINEARCH=win32 WINEPREFIX=/path/to/wineprefix winecfg example $ WINEARCH=win32 WINEPREFIX=$HOME/.wine32 winecfg set windows version to Windows7 [[file:wine_smartconsole_install-winver.png]] '''set environment''' $ export WINEPREFIX=$HOME/.wine32 $ echo $WINEPREFIX /home/jsmith/.wine32 Install .net 2.0 SP2 using winetricks $ winetricks dotnet20sp2 ...you should see the dot net windows install, license accept windows. It will go through the 2.0 and then the 2.0 SP2 installs. $ winetricks dotnet40 ... similar to above this one may be optional $ winetricks gdiplus == install smartconsole == $ wine ./Check_Point_SmartConsole_and_SmartDomain_Manager_R77.10_T131_B990150213_Windows.exe You should see something like this... then proceed to install like you would on winblows [[file:wine32_smartconsole_install-ok.png]] If you see something like this... [[file:wine32_smartconsole_install-bad.png]] ... then something is screwed up. The check point installer should not be trying to install the .net packages. We already did that in earlier steps using winetricks. 482 481 2014-05-26T20:40:12Z Nighthawk 1 /* wine setup */ wikitext text/x-wiki == versions == wine: 1.7.18 winetricks: 20140302 smartconsole: R77.10_T131_B990150213 O.S.: gentoo linux == prerequisites == install wine and winetricks on your distro == wine setup == '''create a 32 bit wineprefix''' (if you don't already have one) command WINEARCH=win32 WINEPREFIX=/path/to/wineprefix winecfg example $ WINEARCH=win32 WINEPREFIX=$HOME/.wine32 winecfg set windows version to Windows7 [[file:wine_smartconsole_install-winver.png]] '''set environment''' $ export WINEPREFIX=$HOME/.wine32 $ echo $WINEPREFIX /home/jsmith/.wine32 Install .net 2.0 SP2 using winetricks $ winetricks dotnet20sp2 ...you should see the dot net windows install, license accept windows. It will go through the 2.0 and then the 2.0 SP2 installs. $ winetricks dotnet40 ... similar to above this one may be optional $ winetricks gdiplus == install smartconsole == 481 479 2014-05-26T20:39:43Z Nighthawk 1 wikitext text/x-wiki == versions == wine: 1.7.18 winetricks: 20140302 smartconsole: R77.10_T131_B990150213 O.S.: gentoo linux == prerequisites == install wine and winetricks on your distro == wine setup == '''create a 32 bit wineprefix''' (if you don't already have one) command WINEARCH=win32 WINEPREFIX=/path/to/wineprefix winecfg set windows version to Windows7 [[file:wine_smartconsole_install-winver.png]] example $ WINEARCH=win32 WINEPREFIX=$HOME/.wine32 winecfg '''set environment''' $ export WINEPREFIX=$HOME/.wine32 $ echo $WINEPREFIX /home/jsmith/.wine32 Install .net 2.0 SP2 using winetricks $ winetricks dotnet20sp2 ...you should see the dot net windows install, license accept windows. It will go through the 2.0 and then the 2.0 SP2 installs. $ winetricks dotnet40 ... similar to above this one may be optional $ winetricks gdiplus == install smartconsole == 479 2014-05-26T20:23:27Z Nighthawk 1 Created page with " == versions == wine: 1.7.18 winetricks: 20140302 smartconsole: R77.10_T131_B990150213 O.S.: gentoo linux == prerequisites == install wine and winetricks on your distro == ..." wikitext text/x-wiki == versions == wine: 1.7.18 winetricks: 20140302 smartconsole: R77.10_T131_B990150213 O.S.: gentoo linux == prerequisites == install wine and winetricks on your distro == wine setup == '''create a 32 bit wineprefix''' (if you don't already have one) command WINEARCH=win32 WINEPREFIX=/path/to/wineprefix winecfg example $ WINEARCH=win32 WINEPREFIX=$HOME/.wine32 winecfg '''set environment''' $ export WINEPREFIX=$HOME/.wine32 $ echo $WINEPREFIX /home/jsmith/.wine32 Install .net 2.0 SP2 using winetricks $ winetricks dotnet20sp2 ...you secureplatform cron 0 100 171 170 2013-07-18T00:45:01Z Nighthawk 1 /* crontab file examples */ wikitext text/x-wiki root crons configured by running '''crontab -e''' at expert prompt cron file will be save to... /var/spool/cron/root == cron file format == Each line in the /etc/crontab file represents a job and has the following format: minute hour day month dayofweek command minute — any integer from 0 to 59 hour — any integer from 0 to 23 day — any integer from 1 to 31 (must be a valid day if a month is specified) month — any integer from 1 to 12 (or the short name of the month such as jan or feb) dayofweek — any integer from 0 to 7, where 0 or 7 represents Sunday (or the short name of the week such as sun or mon) command — the command to execute (the command can either be a command such as ls /proc >> /tmp/proc or the command to execute a custom script) == crontab file examples == 01 * * * * /usr/local/bin/cron.hourly.sh 02 4 * * * /usr/local/bin/cron.daily.sh 22 4 * * 0 /usr/local/bin/cron.weekly.sh 42 4 1 * * /usr/local/bin/cron.monthly.sh [[category:sysadmin]] 170 169 2013-07-18T00:44:48Z Nighthawk 1 wikitext text/x-wiki root crons configured by running '''crontab -e''' at expert prompt cron file will be save to... /var/spool/cron/root == cron file format == Each line in the /etc/crontab file represents a job and has the following format: minute hour day month dayofweek command minute — any integer from 0 to 59 hour — any integer from 0 to 23 day — any integer from 1 to 31 (must be a valid day if a month is specified) month — any integer from 1 to 12 (or the short name of the month such as jan or feb) dayofweek — any integer from 0 to 7, where 0 or 7 represents Sunday (or the short name of the week such as sun or mon) command — the command to execute (the command can either be a command such as ls /proc >> /tmp/proc or the command to execute a custom script) == crontab file examples == 01 * * * * /usr/local/bin/cron.hourly.sh 02 4 * * * /usr/local/bin/cron.daily.sh 22 4 * * 0 /usr/local/bin/cron.weekly.sh 42 4 1 * * /usr/local/bin/cron.monthly.sh [[category:sysadmin]] 169 2013-07-18T00:39:57Z Nighthawk 1 Created page with "root crons configured by running '''crontab -e''' at expert prompt cron file will be save to... /var/spool/cron/root [[category:sysadmin]]" wikitext text/x-wiki root crons configured by running '''crontab -e''' at expert prompt cron file will be save to... /var/spool/cron/root [[category:sysadmin]] set palo alto firewall management interface ip 0 185 552 2015-01-21T22:49:32Z Nighthawk 1 Created page with " set deviceconfig system ip-address 192.168.2.1 netmask 255.255.255.0 [[category:PAN]] [[category:palo alto]]" wikitext text/x-wiki set deviceconfig system ip-address 192.168.2.1 netmask 255.255.255.0 [[category:PAN]] [[category:palo alto]] setting interface affinity 0 221 701 700 2017-10-22T06:36:22Z Nighthawk 1 wikitext text/x-wiki example (77.30) set affinity # '''sim affinity -s''' Usage : For each interface enter one of the following: Return - To keep the default values (appearing in [ ]) all - To allow all processors for this interface List of processors - A list of processor numbers between 0 and 19 eth1-01 [All] : '''0''' eth1-02 [All] : '''0''' eth2-01 [All] : '''1''' eth2-02 [All] : '''2''' eth3-01 [All] : '''3''' eth3-02 [All] : '''4''' eth3-04 [All] : '''5''' check affinity # sim affinity -l or # fw ctl affinity -l -r c5bdf6258fda45348382469950021e0c754e6f16 700 699 2017-10-22T06:34:46Z Nighthawk 1 wikitext text/x-wiki example (77.30) set affinity # '''sim affinity -s''' Usage : For each interface enter one of the following: Return - To keep the default values (appearing in [ ]) all - To allow all processors for this interface List of processors - A list of processor numbers between 0 and 19 eth1-01 [All] : '''0''' eth1-02 [All] : '''0''' eth2-01 [All] : '''1''' eth2-02 [All] : '''2''' eth3-01 [All] : '''3''' eth3-02 [All] : '''4''' eth3-04 [All] : '''5''' check affinity # fw ctl affinity -l -r ff3d40de8eacd7894045ac328d5c921e1397c7c8 699 698 2017-10-22T04:27:04Z Nighthawk 1 wikitext text/x-wiki example (77.30) # '''sim affinity -s''' Usage : For each interface enter one of the following: Return - To keep the default values (appearing in [ ]) all - To allow all processors for this interface List of processors - A list of processor numbers between 0 and 19 eth1-01 [All] : '''0''' eth1-02 [All] : '''0''' eth2-01 [All] : '''1''' eth2-02 [All] : '''2''' eth3-01 [All] : '''3''' eth3-02 [All] : '''4''' eth3-04 [All] : '''5''' 867ad5126c74271b00036f0d5e252201c20349ee 698 697 2017-10-22T04:26:41Z Nighthawk 1 wikitext text/x-wiki example (77.30) # '''sim affinity -s''' Usage : For each interface enter one of the following: Return - To keep the default values (appearing in [ ]) all - To allow all processors for this interface List of processors - A list of processor numbers between 0 and 19 eth1-01 [All] : eth1-02 [All] : '''0''' eth2-01 [All] : '''1''' eth2-02 [All] : '''2''' eth3-01 [All] : '''3''' eth3-02 [All] : '''4''' eth3-04 [All] : '''5''' 3c3e2cc00a16ddf9438822e1678a5bde6783cdc8 697 2017-10-22T04:19:32Z Nighthawk 1 Created page with " # sim affinity -s" wikitext text/x-wiki # sim affinity -s 1e3e1143fb904bd9e0c7a6f4111c3eee4d8adf5d shell inactivity timout 0 177 564 563 2015-09-28T16:53:11Z Nighthawk 1 /* view the current idle timeout */ wikitext text/x-wiki Gaia and SPLAT shell/ssh timout values ==newer Gaia versions== In Clish: ===view the current idle timeout=== For Gaia Web Portal session: HostName> '''show web session-timeout''' For Clish session: HostName> '''show inactivity-timeout''' ===To change the current idle=== For Gaia Portal session: HostName> '''set web session-timeout VALUE''' For Clish session: HostName> '''set inactivity-timeout VALUE''' Don't forget to save the config changes above ==older CP versions== versions: Tested for SPLAT R75.30 & Gaia R75 & R77.10 the shell timeout for ssh session is controlled by an environment variable called TMOUT. it is a ridiculously annoyingly low 180 seconds / 3 minutes by default for many check point platforms. === check current timeout value === [Expert@myfirewall:0]# '''echo $TMOUT''' 600 to change it, use cpshell with account that has root privelege access on SPLAT or Gaia, and set the ilde time... === changing timeout value === [Expert@myfirewall]# '''cpshell''' set idle time in minutes [myfirewall]# '''idle 15''' if you want it to take effect in your current shell... exit cpshell, from the expert prompt... [Expert@myfirewall]# '''source /etc/bashrc ''' --- note, an "Expert" prompt doesn't mean your account has root priveleges. when running the idle command from cpshell for the first time, it creates the following file: /etc/cpshell/cpshell.state this file containes the idle setting [Expert@myfirewall]# '''cat /etc/cpshell/cpshell.state | grep idle''' idle=15 This file gets parsed by /etc/bashrc when setting up a shell for a newly connected user === shell startup code === The TMOUT value is set by /etc/bashrc. You can alter the global bashrc or configure local ones for user accounts. Rather than change the global bashrc, the examples above utilize cpshell to set it. If you want to change the global bashrc file, below are the snippets of code that control it from a couple of different releases. example /etc/bashrc from Check Point Gaia R77.10 # SPLAT specific setup IDLE="`sed -n 's/idle=//p' /etc/cpshell/cpshell.state 2>/dev/null`" [ -z "$IDLE" ] && IDLE=3 export TMOUT=`expr $IDLE \* 60` example /etc/bashrc from Check Point SecurePlatform R75.30 # By default, log out the user after three minutes of unattended prompt export TMOUT=180 export SHELL=/bin/bash # Take into account idle setting of cpshell, if available if [ -f /etc/cpshell/cpshell.state ]; then idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//` if [ $idle"UNDEFINED" = "UNDEFINED" ]; then idle=3 fi export TMOUT=`expr $idle \* 60` fi [[category:CLI]] 563 562 2015-09-28T16:52:50Z Nighthawk 1 /* To change the current idle */ wikitext text/x-wiki Gaia and SPLAT shell/ssh timout values ==newer Gaia versions== In Clish: ===view the current idle timeout=== For Gaia Web Portal session: HostName> show web session-timeout For Clish session: HostName> show inactivity-timeout ===To change the current idle=== For Gaia Portal session: HostName> '''set web session-timeout VALUE''' For Clish session: HostName> '''set inactivity-timeout VALUE''' Don't forget to save the config changes above ==older CP versions== versions: Tested for SPLAT R75.30 & Gaia R75 & R77.10 the shell timeout for ssh session is controlled by an environment variable called TMOUT. it is a ridiculously annoyingly low 180 seconds / 3 minutes by default for many check point platforms. === check current timeout value === [Expert@myfirewall:0]# '''echo $TMOUT''' 600 to change it, use cpshell with account that has root privelege access on SPLAT or Gaia, and set the ilde time... === changing timeout value === [Expert@myfirewall]# '''cpshell''' set idle time in minutes [myfirewall]# '''idle 15''' if you want it to take effect in your current shell... exit cpshell, from the expert prompt... [Expert@myfirewall]# '''source /etc/bashrc ''' --- note, an "Expert" prompt doesn't mean your account has root priveleges. when running the idle command from cpshell for the first time, it creates the following file: /etc/cpshell/cpshell.state this file containes the idle setting [Expert@myfirewall]# '''cat /etc/cpshell/cpshell.state | grep idle''' idle=15 This file gets parsed by /etc/bashrc when setting up a shell for a newly connected user === shell startup code === The TMOUT value is set by /etc/bashrc. You can alter the global bashrc or configure local ones for user accounts. Rather than change the global bashrc, the examples above utilize cpshell to set it. If you want to change the global bashrc file, below are the snippets of code that control it from a couple of different releases. example /etc/bashrc from Check Point Gaia R77.10 # SPLAT specific setup IDLE="`sed -n 's/idle=//p' /etc/cpshell/cpshell.state 2>/dev/null`" [ -z "$IDLE" ] && IDLE=3 export TMOUT=`expr $IDLE \* 60` example /etc/bashrc from Check Point SecurePlatform R75.30 # By default, log out the user after three minutes of unattended prompt export TMOUT=180 export SHELL=/bin/bash # Take into account idle setting of cpshell, if available if [ -f /etc/cpshell/cpshell.state ]; then idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//` if [ $idle"UNDEFINED" = "UNDEFINED" ]; then idle=3 fi export TMOUT=`expr $idle \* 60` fi [[category:CLI]] 562 561 2015-09-28T16:52:27Z Nighthawk 1 /* newer Gaia versions */ wikitext text/x-wiki Gaia and SPLAT shell/ssh timout values ==newer Gaia versions== In Clish: ===view the current idle timeout=== For Gaia Web Portal session: HostName> show web session-timeout For Clish session: HostName> show inactivity-timeout ===To change the current idle=== For Gaia Portal session: HostName> set web session-timeout VALUE For Clish session: HostName> set inactivity-timeout VALUE Don't forget to save the config changes above ==older CP versions== versions: Tested for SPLAT R75.30 & Gaia R75 & R77.10 the shell timeout for ssh session is controlled by an environment variable called TMOUT. it is a ridiculously annoyingly low 180 seconds / 3 minutes by default for many check point platforms. === check current timeout value === [Expert@myfirewall:0]# '''echo $TMOUT''' 600 to change it, use cpshell with account that has root privelege access on SPLAT or Gaia, and set the ilde time... === changing timeout value === [Expert@myfirewall]# '''cpshell''' set idle time in minutes [myfirewall]# '''idle 15''' if you want it to take effect in your current shell... exit cpshell, from the expert prompt... [Expert@myfirewall]# '''source /etc/bashrc ''' --- note, an "Expert" prompt doesn't mean your account has root priveleges. when running the idle command from cpshell for the first time, it creates the following file: /etc/cpshell/cpshell.state this file containes the idle setting [Expert@myfirewall]# '''cat /etc/cpshell/cpshell.state | grep idle''' idle=15 This file gets parsed by /etc/bashrc when setting up a shell for a newly connected user === shell startup code === The TMOUT value is set by /etc/bashrc. You can alter the global bashrc or configure local ones for user accounts. Rather than change the global bashrc, the examples above utilize cpshell to set it. If you want to change the global bashrc file, below are the snippets of code that control it from a couple of different releases. example /etc/bashrc from Check Point Gaia R77.10 # SPLAT specific setup IDLE="`sed -n 's/idle=//p' /etc/cpshell/cpshell.state 2>/dev/null`" [ -z "$IDLE" ] && IDLE=3 export TMOUT=`expr $IDLE \* 60` example /etc/bashrc from Check Point SecurePlatform R75.30 # By default, log out the user after three minutes of unattended prompt export TMOUT=180 export SHELL=/bin/bash # Take into account idle setting of cpshell, if available if [ -f /etc/cpshell/cpshell.state ]; then idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//` if [ $idle"UNDEFINED" = "UNDEFINED" ]; then idle=3 fi export TMOUT=`expr $idle \* 60` fi [[category:CLI]] 561 560 2015-09-28T16:50:33Z Nighthawk 1 wikitext text/x-wiki Gaia and SPLAT shell/ssh timout values ==newer Gaia versions== In Clish: To see the current idle timeout: For Gaia Portal session: HostName> show web session-timeout For Clish session: HostName> show inactivity-timeout To change the current idle timeout on-the-fly: For Gaia Portal session: HostName> set web session-timeout VALUE For Clish session: HostName> set inactivity-timeout VALUE ==older CP versions== versions: Tested for SPLAT R75.30 & Gaia R75 & R77.10 the shell timeout for ssh session is controlled by an environment variable called TMOUT. it is a ridiculously annoyingly low 180 seconds / 3 minutes by default for many check point platforms. === check current timeout value === [Expert@myfirewall:0]# '''echo $TMOUT''' 600 to change it, use cpshell with account that has root privelege access on SPLAT or Gaia, and set the ilde time... === changing timeout value === [Expert@myfirewall]# '''cpshell''' set idle time in minutes [myfirewall]# '''idle 15''' if you want it to take effect in your current shell... exit cpshell, from the expert prompt... [Expert@myfirewall]# '''source /etc/bashrc ''' --- note, an "Expert" prompt doesn't mean your account has root priveleges. when running the idle command from cpshell for the first time, it creates the following file: /etc/cpshell/cpshell.state this file containes the idle setting [Expert@myfirewall]# '''cat /etc/cpshell/cpshell.state | grep idle''' idle=15 This file gets parsed by /etc/bashrc when setting up a shell for a newly connected user === shell startup code === The TMOUT value is set by /etc/bashrc. You can alter the global bashrc or configure local ones for user accounts. Rather than change the global bashrc, the examples above utilize cpshell to set it. If you want to change the global bashrc file, below are the snippets of code that control it from a couple of different releases. example /etc/bashrc from Check Point Gaia R77.10 # SPLAT specific setup IDLE="`sed -n 's/idle=//p' /etc/cpshell/cpshell.state 2>/dev/null`" [ -z "$IDLE" ] && IDLE=3 export TMOUT=`expr $IDLE \* 60` example /etc/bashrc from Check Point SecurePlatform R75.30 # By default, log out the user after three minutes of unattended prompt export TMOUT=180 export SHELL=/bin/bash # Take into account idle setting of cpshell, if available if [ -f /etc/cpshell/cpshell.state ]; then idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//` if [ $idle"UNDEFINED" = "UNDEFINED" ]; then idle=3 fi export TMOUT=`expr $idle \* 60` fi [[category:CLI]] 560 501 2015-09-28T16:49:46Z Nighthawk 1 wikitext text/x-wiki Gaia and SPLAT shell/ssh timout values ==newer Gaia versions== In Clish: To see the current idle timeout: For Gaia Portal session: HostName> show web session-timeout For Clish session: HostName> show inactivity-timeout To change the current idle timeout on-the-fly: For Gaia Portal session: HostName> set web session-timeout VALUE For Clish session: HostName> set inactivity-timeout VALUE versions: Tested for SPLAT R75.30 & Gaia R75 & R77.10 the shell timeout for ssh session is controlled by an environment variable called TMOUT. it is a ridiculously annoyingly low 180 seconds / 3 minutes by default for many check point platforms. == check current timeout value == [Expert@myfirewall:0]# '''echo $TMOUT''' 600 to change it, use cpshell with account that has root privelege access on SPLAT or Gaia, and set the ilde time... == changing timeout value == [Expert@myfirewall]# '''cpshell''' set idle time in minutes [myfirewall]# '''idle 15''' if you want it to take effect in your current shell... exit cpshell, from the expert prompt... [Expert@myfirewall]# '''source /etc/bashrc ''' --- note, an "Expert" prompt doesn't mean your account has root priveleges. when running the idle command from cpshell for the first time, it creates the following file: /etc/cpshell/cpshell.state this file containes the idle setting [Expert@myfirewall]# '''cat /etc/cpshell/cpshell.state | grep idle''' idle=15 This file gets parsed by /etc/bashrc when setting up a shell for a newly connected user == shell startup code == The TMOUT value is set by /etc/bashrc. You can alter the global bashrc or configure local ones for user accounts. Rather than change the global bashrc, the examples above utilize cpshell to set it. If you want to change the global bashrc file, below are the snippets of code that control it from a couple of different releases. example /etc/bashrc from Check Point Gaia R77.10 # SPLAT specific setup IDLE="`sed -n 's/idle=//p' /etc/cpshell/cpshell.state 2>/dev/null`" [ -z "$IDLE" ] && IDLE=3 export TMOUT=`expr $IDLE \* 60` example /etc/bashrc from Check Point SecurePlatform R75.30 # By default, log out the user after three minutes of unattended prompt export TMOUT=180 export SHELL=/bin/bash # Take into account idle setting of cpshell, if available if [ -f /etc/cpshell/cpshell.state ]; then idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//` if [ $idle"UNDEFINED" = "UNDEFINED" ]; then idle=3 fi export TMOUT=`expr $idle \* 60` fi [[category:CLI]] 501 500 2014-06-10T21:08:41Z Nighthawk 1 /* changing timeout value */ wikitext text/x-wiki Gaia and SPLAT shell/ssh timout values versions: Tested for SPLAT R75.30 & Gaia R75 & R77.10 the shell timeout for ssh session is controlled by an environment variable called TMOUT. it is a ridiculously annoyingly low 180 seconds / 3 minutes by default for many check point platforms. == check current timeout value == [Expert@myfirewall:0]# '''echo $TMOUT''' 600 to change it, use cpshell with account that has root privelege access on SPLAT or Gaia, and set the ilde time... == changing timeout value == [Expert@myfirewall]# '''cpshell''' set idle time in minutes [myfirewall]# '''idle 15''' if you want it to take effect in your current shell... exit cpshell, from the expert prompt... [Expert@myfirewall]# '''source /etc/bashrc ''' --- note, an "Expert" prompt doesn't mean your account has root priveleges. when running the idle command from cpshell for the first time, it creates the following file: /etc/cpshell/cpshell.state this file containes the idle setting [Expert@myfirewall]# '''cat /etc/cpshell/cpshell.state | grep idle''' idle=15 This file gets parsed by /etc/bashrc when setting up a shell for a newly connected user == shell startup code == The TMOUT value is set by /etc/bashrc. You can alter the global bashrc or configure local ones for user accounts. Rather than change the global bashrc, the examples above utilize cpshell to set it. If you want to change the global bashrc file, below are the snippets of code that control it from a couple of different releases. example /etc/bashrc from Check Point Gaia R77.10 # SPLAT specific setup IDLE="`sed -n 's/idle=//p' /etc/cpshell/cpshell.state 2>/dev/null`" [ -z "$IDLE" ] && IDLE=3 export TMOUT=`expr $IDLE \* 60` example /etc/bashrc from Check Point SecurePlatform R75.30 # By default, log out the user after three minutes of unattended prompt export TMOUT=180 export SHELL=/bin/bash # Take into account idle setting of cpshell, if available if [ -f /etc/cpshell/cpshell.state ]; then idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//` if [ $idle"UNDEFINED" = "UNDEFINED" ]; then idle=3 fi export TMOUT=`expr $idle \* 60` fi [[category:CLI]] 500 499 2014-06-10T21:08:06Z Nighthawk 1 /* changing timeout value */ wikitext text/x-wiki Gaia and SPLAT shell/ssh timout values versions: Tested for SPLAT R75.30 & Gaia R75 & R77.10 the shell timeout for ssh session is controlled by an environment variable called TMOUT. it is a ridiculously annoyingly low 180 seconds / 3 minutes by default for many check point platforms. == check current timeout value == [Expert@myfirewall:0]# '''echo $TMOUT''' 600 to change it, use cpshell with account that has root privelege access on SPLAT or Gaia, and set the ilde time... == changing timeout value == [Expert@myfirewall]# '''cpshell''' set idle time in minutes [myfirewall]# '''idle 15''' if you want it to take effect in your current shell... exit cpshell, from the expert prompt... [Expert@myfirewall]# '''source /etc/bashrc ''' --- note, an "Expert" prompt doesn't mean your account has root priveleges. when running the idle command from cpshell for the first time, it creates the following file: /etc/cpshell/cpshell.state this file containes the idle setting [Expert@myfirewall]# cat /etc/cpshell/cpshell.state | grep idle idle=15 This file gets parsed by /etc/bashrc when setting up a shell for a newly connected user == shell startup code == The TMOUT value is set by /etc/bashrc. You can alter the global bashrc or configure local ones for user accounts. Rather than change the global bashrc, the examples above utilize cpshell to set it. If you want to change the global bashrc file, below are the snippets of code that control it from a couple of different releases. example /etc/bashrc from Check Point Gaia R77.10 # SPLAT specific setup IDLE="`sed -n 's/idle=//p' /etc/cpshell/cpshell.state 2>/dev/null`" [ -z "$IDLE" ] && IDLE=3 export TMOUT=`expr $IDLE \* 60` example /etc/bashrc from Check Point SecurePlatform R75.30 # By default, log out the user after three minutes of unattended prompt export TMOUT=180 export SHELL=/bin/bash # Take into account idle setting of cpshell, if available if [ -f /etc/cpshell/cpshell.state ]; then idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//` if [ $idle"UNDEFINED" = "UNDEFINED" ]; then idle=3 fi export TMOUT=`expr $idle \* 60` fi [[category:CLI]] 499 498 2014-06-10T20:48:03Z Nighthawk 1 wikitext text/x-wiki Gaia and SPLAT shell/ssh timout values versions: Tested for SPLAT R75.30 & Gaia R75 & R77.10 the shell timeout for ssh session is controlled by an environment variable called TMOUT. it is a ridiculously annoyingly low 180 seconds / 3 minutes by default for many check point platforms. == check current timeout value == [Expert@myfirewall:0]# '''echo $TMOUT''' 600 to change it, use cpshell with account that has root privelege access on SPLAT or Gaia, and set the ilde time... == changing timeout value == [Expert@myfirewall]# '''cpshell''' set idle time in minutes [myfirewall]# '''idle 15''' if you want it to take effect in your current shell... exit cpshell, from the expert prompt... [Expert@myfirewall]# '''source /etc/bashrc ''' *** note, an "Expert" prompt doesn't mean your account has root priveleges. == shell startup code == The TMOUT value is set by /etc/bashrc. You can alter the global bashrc or configure local ones for user accounts. Rather than change the global bashrc, the examples above utilize cpshell to set it. If you want to change the global bashrc file, below are the snippets of code that control it from a couple of different releases. example /etc/bashrc from Check Point Gaia R77.10 # SPLAT specific setup IDLE="`sed -n 's/idle=//p' /etc/cpshell/cpshell.state 2>/dev/null`" [ -z "$IDLE" ] && IDLE=3 export TMOUT=`expr $IDLE \* 60` example /etc/bashrc from Check Point SecurePlatform R75.30 # By default, log out the user after three minutes of unattended prompt export TMOUT=180 export SHELL=/bin/bash # Take into account idle setting of cpshell, if available if [ -f /etc/cpshell/cpshell.state ]; then idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//` if [ $idle"UNDEFINED" = "UNDEFINED" ]; then idle=3 fi export TMOUT=`expr $idle \* 60` fi [[category:CLI]] 498 497 2014-06-10T20:43:17Z Nighthawk 1 wikitext text/x-wiki shell timeout for ssh session is controlled by an environment variable called TMOUT. it is a ridiculously annoyingly low 180 seconds / 3 minutes by default for many check point platforms. [Expert@myfirewall:0]# '''echo $TMOUT''' 600 to change it, use cpshell with account that has root privelege access on SPLAT or Gaia, and set the ilde time... [Expert@myfirewall]# '''cpshell''' set idle time in minutes [myfirewall]# '''idle 15''' if you want it to take effect in your current shell... exit cpshell, from the expert prompt... [Expert@myfirewall]# '''source /etc/bashrc ''' *** note, an "Expert" prompt doesn't mean your account has root priveleges. The value is set by /etc/bashrc example /etc/bashrc from Check Point Gaia R77.10 # SPLAT specific setup IDLE="`sed -n 's/idle=//p' /etc/cpshell/cpshell.state 2>/dev/null`" [ -z "$IDLE" ] && IDLE=3 export TMOUT=`expr $IDLE \* 60` example /etc/bashrc from Check Point SecurePlatform R75.30 # By default, log out the user after three minutes of unattended prompt export TMOUT=180 export SHELL=/bin/bash # Take into account idle setting of cpshell, if available if [ -f /etc/cpshell/cpshell.state ]; then idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//` if [ $idle"UNDEFINED" = "UNDEFINED" ]; then idle=3 fi export TMOUT=`expr $idle \* 60` fi [[category:CLI]] 497 496 2014-06-10T20:42:17Z Nighthawk 1 wikitext text/x-wiki shell timeout for ssh session is controlled by an environment variable called TMOUT. it is a ridiculously annoyingly low 180 seconds / 3 minutes by default for many check point platforms. [Expert@myfirewall:0]# '''echo $TMOUT''' 600 to change it, use cpshell with account that has root privelege access on SPLAT or Gaia, and set the ilde time... [Expert@myfirewall]# '''cpshell''' set idle time in minutes [myfirewall]# '''idle 15''' if you want it to take effect in your current shell... exit cpshell, from the expert prompt... [Expert@myfirewall]# '''source /etc/bashrc ''' *** note, an "Expert" prompt doesn't mean your account has root priveleges. The value is set by /etc/bashrc example /etc/bashrc from Check Point Gaia R77.10 # SPLAT specific setup IDLE="`sed -n 's/idle=//p' /etc/cpshell/cpshell.state 2>/dev/null`" [ -z "$IDLE" ] && IDLE=3 export TMOUT=`expr $IDLE \* 60` # By default, log out the user after three minutes of unattended prompt export TMOUT=180 export SHELL=/bin/bash example /etc/bashrc from Check Point SecurePlatform R75.30 # Take into account idle setting of cpshell, if available if [ -f /etc/cpshell/cpshell.state ]; then idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//` if [ $idle"UNDEFINED" = "UNDEFINED" ]; then idle=3 fi export TMOUT=`expr $idle \* 60` fi [[category:CLI]] 496 2014-06-10T20:33:22Z Nighthawk 1 Created page with "shell timeout for ssh session is controlled by an environment variable called TMOUT. it is a ridiculously annoyingly low 180 seconds / 3 minutes by default for many check poi..." wikitext text/x-wiki shell timeout for ssh session is controlled by an environment variable called TMOUT. it is a ridiculously annoyingly low 180 seconds / 3 minutes by default for many check point platforms. [Expert@myfirewall:0]# '''echo $TMOUT''' 600 to change it, use the admin account on SPLAT or Gaia, and set the ilde time... The value is set by /etc/bashrc example /etc/bashrc from Check Point Gaia R77.10 # SPLAT specific setup IDLE="`sed -n 's/idle=//p' /etc/cpshell/cpshell.state 2>/dev/null`" [ -z "$IDLE" ] && IDLE=3 export TMOUT=`expr $IDLE \* 60` # By default, log out the user after three minutes of unattended prompt export TMOUT=180 export SHELL=/bin/bash example /etc/bashrc from Check Point SecurePlatform R75.30 # Take into account idle setting of cpshell, if available if [ -f /etc/cpshell/cpshell.state ]; then idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//` if [ $idle"UNDEFINED" = "UNDEFINED" ]; then idle=3 fi export TMOUT=`expr $idle \* 60` fi [[category:CLI]] show interface statistics for up interfaces only 0 186 704 674 2017-12-03T03:56:52Z Nighthawk 1 wikitext text/x-wiki gaia from bash shell show IPs/masks <source lang="bash"> # clish -c "show interfaces all" | grep -B 1 "state on" | grep Interface | grep -v " lo" | awk '{print $2}' | while read line; do printf "$line "; clish -c "show interface $line ipv4-address"; done </source> show speeds <source lang="bash"> # clish -c "show interfaces all" | grep -B 1 "state on" | grep Interface | grep -v " lo" | awk '{print $2}' | while read line; do printf "$line "; clish -c "show interface $line speed"; done </source> interface statistics <source lang="bash"> # clish -c "show interfaces" | while read LINE; do echo; echo $LINE; clish -c "show interface $LINE statistics" |\ grep -v ^$; done </source> this will only work from the BASH shell, NOT csh. old ipso... [root@myfw ~]# clish -c "show interfaces" | grep -B 1 " Up" | grep "Physical Interface" | grep -v -E "loop0|Tunnel" | awk '{print $3}' | while read LINE; do clish -c "show interface $LINE statistics"; done 47ec24268456c11cdaf64f7415ea5220a8f2215b 674 673 2017-08-10T11:17:20Z Nighthawk 1 wikitext text/x-wiki gaia from bash shell show IPs/masks <source lang="bash"> # clish -c "show interfaces all" | grep -B 1 "state on" | grep Interface | grep -v " lo" | awk '{print $2}' | while read line; do printf "$line "; clish -c "show interface $line ipv4-address"; done </source> interface statistics <source lang="bash"> # clish -c "show interfaces" | while read LINE; do echo; echo $LINE; clish -c "show interface $LINE statistics" |\ grep -v ^$; done </source> this will only work from the BASH shell, NOT csh. old ipso... [root@myfw ~]# clish -c "show interfaces" | grep -B 1 " Up" | grep "Physical Interface" | grep -v -E "loop0|Tunnel" | awk '{print $3}' | while read LINE; do clish -c "show interface $LINE statistics"; done 35bae5f80213b0ad921c81bcf8fd8a80036376ad 673 600 2017-08-10T11:14:47Z Nighthawk 1 wikitext text/x-wiki gaia from bash shell show IPs/masks <source lang="bash"> # clish -c "show interfaces all" | grep -B 1 "state on" | grep Interface | grep -v " lo" | awk '{print $2}' | while read line; do printf "$line "; clish -c "show interface $line ipv4-address"; done # clish -c "show interfaces" | while read LINE; do echo; echo $LINE; clish -c "show interface $LINE statistics" |\ grep -v ^$; done </source> this will only work from the BASH shell, NOT csh. [root@myfw ~]# clish -c "show interfaces" | grep -B 1 " Up" | grep "Physical Interface" | grep -v -E "loop0|Tunnel" | awk '{print $3}' | while read LINE; do clish -c "show interface $LINE statistics"; done 2d573449efbf2c7f9f830a949e4e327ce1162c95 600 599 2016-07-23T07:53:07Z Nighthawk 1 wikitext text/x-wiki gaia from bash shell <source lang="bash"> [Expert@chkpfw1:0]# clish -c "show interfaces" | while read LINE; do echo; echo $LINE; clish -c "show interface $LINE statistics" |\ grep -v ^$; done </source> this will only work from the BASH shell, NOT csh. [root@myfw ~]# clish -c "show interfaces" | grep -B 1 " Up" | grep "Physical Interface" | grep -v -E "loop0|Tunnel" | awk '{print $3}' | while read LINE; do clish -c "show interface $LINE statistics"; done 3768fb46caff8e6b3132adb31668ed71628fd658 599 598 2016-07-23T07:38:58Z Nighthawk 1 wikitext text/x-wiki gaia from bash shell <syntaxhighlight lang="bash"> [Expert@chkpfw1:0]# clish -c "show interfaces" | while read LINE; do echo; echo $LINE; clish -c "show interface $LINE statistics" | grep -v ^$; done </syntaxhighlight> this will only work from the BASH shell, NOT csh. [root@myfw ~]# clish -c "show interfaces" | grep -B 1 " Up" | grep "Physical Interface" | grep -v -E "loop0|Tunnel" | awk '{print $3}' | while read LINE; do clish -c "show interface $LINE statistics"; done 1469652af6a2b4b9d7587271690c3cd1fc0b62e5 598 555 2016-07-23T07:36:18Z Nighthawk 1 wikitext text/x-wiki gaia from bash shell <syntaxhighlight lang="bash"> [Expert@chkpfw1:0]# clish -c "show interfaces" | while read LINE; do echo; echo $LINE; clish -c "show interface $LINE statistics" | grep -v ^$; done </syntaxhighlight> this will only work from the BASH shell, NOT csh. [root@myfw ~]# clish -c "show interfaces" | grep -B 1 " Up" | grep "Physical Interface" | grep -v -E "loop0|Tunnel" | awk '{print $3}' | while read LINE; do clish -c "show interface $LINE statistics"; done dd228ce69d21001f5ede9e033536e5f7670942b7 555 554 2015-02-25T16:56:50Z Nighthawk 1 moved [[nokia IPSO show all up interface statistics]] to [[show interface statistics for up interfaces only]] wikitext text/x-wiki gaia from bash shell [Expert@chkpfw1:0]# clish -c "show interfaces" | while read LINE; do echo; echo $LINE; clish -c "show interface $LINE statistics" | grep -v ^$; done this will only work from the BASH shell, NOT csh. [root@myfw ~]# clish -c "show interfaces" | grep -B 1 " Up" | grep "Physical Interface" | grep -v -E "loop0|Tunnel" | awk '{print $3}' | while read LINE; do clish -c "show interface $LINE statistics"; done 554 553 2015-02-25T16:56:17Z Nighthawk 1 wikitext text/x-wiki gaia from bash shell [Expert@chkpfw1:0]# clish -c "show interfaces" | while read LINE; do echo; echo $LINE; clish -c "show interface $LINE statistics" | grep -v ^$; done this will only work from the BASH shell, NOT csh. [root@myfw ~]# clish -c "show interfaces" | grep -B 1 " Up" | grep "Physical Interface" | grep -v -E "loop0|Tunnel" | awk '{print $3}' | while read LINE; do clish -c "show interface $LINE statistics"; done 553 2015-02-25T16:23:59Z Nighthawk 1 Created page with "this will only work from the BASH shell, NOT csh. [root@myfw ~]# clish -c "show interfaces" | grep -B 1 " Up" | grep "Physical Interface" | grep -v -E "loop0|Tunnel" | awk..." wikitext text/x-wiki this will only work from the BASH shell, NOT csh. [root@myfw ~]# clish -c "show interfaces" | grep -B 1 " Up" | grep "Physical Interface" | grep -v -E "loop0|Tunnel" | awk '{print $3}' | while read LINE; do clish -c "show interface $LINE statistics"; done [[category:nokia]] [[category:ipso]] smart reporter 0 208 654 653 2017-05-06T02:27:24Z Nighthawk 1 /* tables */ wikitext text/x-wiki ==databases and versions== SmartReporter Database Management This release can use one of these SQL databases: • MySQL - When you upgrade from R75.40 or earlier to R77, SmartReporter continues to use the legacy • MySQL database. In some cases, upgrading from R75.20 or R75.40 can also use MySQL. PostgreSQL - All new installations of SmartReporter, from R75.40VS and higher, use the PostgreSQL database. You do database management operations in these ways: • With the SmartReporter Database Maintenance view • With CLI commands. MySQL and PostgreSQL have different commands and procedures • Changing SmartReporter configuration files '''To see which SQL database is installed, run:''' grep DefaultDatabase $CPDIR/registry/HKLM_registry.data If the command returns the string PostgreSQL, the database is PostgreSQL. If the command returns another result, the database is MySQL. ==mysql database== username for mysql connections: RMSERVER password can me set in smartreporter gui under management > database maintenance > change database password mysql binary location: $RTDIR/Database/bin/mysql socket file: use as defined in $RTDIR/Database/conf/my.cnf example command to connect to local database $RTDIR/Database/bin/mysql -u RMSERVER -h localhost -p --socket=/opt/CPrt-R75.40/Database/mysql.sock ==postgresql== connecting to postgresql database $CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 rt_database ==logging and session status== log consolidation session log: $RTDIR/log_consolidator_engine/log/<Session_ID>/lc_rt.log example of successful log consolidation entry... Last processed file: 2017-03-01_235900.log The Engine has finished scanning the requested log files. ==service stop and start== rmdstop -server to stop ==tables== == fwaction == fw_action_code | fw_action_name -1 | 0 | consolidated 1 | encrypt 2 | approved 3 | accept 4 | blocked 5 | drop 6 | reject ... and more... [[category:loggin]] 0a0f5f4d8a1a273cd380652c6abd46d503ac3fe1 653 652 2017-05-06T01:29:46Z Nighthawk 1 wikitext text/x-wiki ==databases and versions== SmartReporter Database Management This release can use one of these SQL databases: • MySQL - When you upgrade from R75.40 or earlier to R77, SmartReporter continues to use the legacy • MySQL database. In some cases, upgrading from R75.20 or R75.40 can also use MySQL. PostgreSQL - All new installations of SmartReporter, from R75.40VS and higher, use the PostgreSQL database. You do database management operations in these ways: • With the SmartReporter Database Maintenance view • With CLI commands. MySQL and PostgreSQL have different commands and procedures • Changing SmartReporter configuration files '''To see which SQL database is installed, run:''' grep DefaultDatabase $CPDIR/registry/HKLM_registry.data If the command returns the string PostgreSQL, the database is PostgreSQL. If the command returns another result, the database is MySQL. ==mysql database== username for mysql connections: RMSERVER password can me set in smartreporter gui under management > database maintenance > change database password mysql binary location: $RTDIR/Database/bin/mysql socket file: use as defined in $RTDIR/Database/conf/my.cnf example command to connect to local database $RTDIR/Database/bin/mysql -u RMSERVER -h localhost -p --socket=/opt/CPrt-R75.40/Database/mysql.sock ==postgresql== connecting to postgresql database $CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 rt_database ==logging and session status== log consolidation session log: $RTDIR/log_consolidator_engine/log/<Session_ID>/lc_rt.log example of successful log consolidation entry... Last processed file: 2017-03-01_235900.log The Engine has finished scanning the requested log files. ==service stop and start== rmdstop -server to stop ==tables== ... [[category:loggin]] 125bce4c5ce3009846f21c6379033645d60589de 652 651 2017-05-05T13:26:48Z Nighthawk 1 /* logging and session status */ wikitext text/x-wiki ==databases and versions== SmartReporter Database Management This release can use one of these SQL databases: • MySQL - When you upgrade from R75.40 or earlier to R77, SmartReporter continues to use the legacy • MySQL database. In some cases, upgrading from R75.20 or R75.40 can also use MySQL. PostgreSQL - All new installations of SmartReporter, from R75.40VS and higher, use the PostgreSQL database. You do database management operations in these ways: • With the SmartReporter Database Maintenance view • With CLI commands. MySQL and PostgreSQL have different commands and procedures • Changing SmartReporter configuration files '''To see which SQL database is installed, run:''' grep DefaultDatabase $CPDIR/registry/HKLM_registry.data If the command returns the string PostgreSQL, the database is PostgreSQL. If the command returns another result, the database is MySQL. ==mysql database== username for mysql connections: RMSERVER password can me set in smartreporter gui under management > database maintenance > change database password mysql binary location: $RTDIR/Database/bin/mysql socket file: use as defined in $RTDIR/Database/conf/my.cnf example command to connect to local database $RTDIR/Database/bin/mysql -u RMSERVER -h localhost -p --socket=/opt/CPrt-R75.40/Database/mysql.sock ==postgresql== connecting to postgresql database $CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 rt_database ==logging and session status== log consolidation session log: $RTDIR/log_consolidator_engine/log/<Session_ID>/lc_rt.log example of successful log consolidation entry... Last processed file: 2017-03-01_235900.log The Engine has finished scanning the requested log files. ==service stop and start== rmdstop -server to stop [[category:loggin]] d674e57d34e09af46f075acd7df02674a46483f6 651 644 2017-05-05T13:26:31Z Nighthawk 1 wikitext text/x-wiki ==databases and versions== SmartReporter Database Management This release can use one of these SQL databases: • MySQL - When you upgrade from R75.40 or earlier to R77, SmartReporter continues to use the legacy • MySQL database. In some cases, upgrading from R75.20 or R75.40 can also use MySQL. PostgreSQL - All new installations of SmartReporter, from R75.40VS and higher, use the PostgreSQL database. You do database management operations in these ways: • With the SmartReporter Database Maintenance view • With CLI commands. MySQL and PostgreSQL have different commands and procedures • Changing SmartReporter configuration files '''To see which SQL database is installed, run:''' grep DefaultDatabase $CPDIR/registry/HKLM_registry.data If the command returns the string PostgreSQL, the database is PostgreSQL. If the command returns another result, the database is MySQL. ==mysql database== username for mysql connections: RMSERVER password can me set in smartreporter gui under management > database maintenance > change database password mysql binary location: $RTDIR/Database/bin/mysql socket file: use as defined in $RTDIR/Database/conf/my.cnf example command to connect to local database $RTDIR/Database/bin/mysql -u RMSERVER -h localhost -p --socket=/opt/CPrt-R75.40/Database/mysql.sock ==postgresql== connecting to postgresql database $CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 rt_database ==logging and session status== log consolidation session log: $RTDIR/log_consolidator_engine/log/<Session_ID>/lc_rt.log example of successful log consolidation entry... Last processed file: 2017-03-01_235900.log The Engine has finished scanning the requested log files. ==service stop and start== rmdstop -server to stop [[category:loggin]] 2e97ab982d07e77c31565fae8c1dec78482b2490 644 643 2017-05-02T20:36:44Z Nighthawk 1 /* postgresql */ wikitext text/x-wiki ==databases and versions== SmartReporter Database Management This release can use one of these SQL databases: • MySQL - When you upgrade from R75.40 or earlier to R77, SmartReporter continues to use the legacy • MySQL database. In some cases, upgrading from R75.20 or R75.40 can also use MySQL. PostgreSQL - All new installations of SmartReporter, from R75.40VS and higher, use the PostgreSQL database. You do database management operations in these ways: • With the SmartReporter Database Maintenance view • With CLI commands. MySQL and PostgreSQL have different commands and procedures • Changing SmartReporter configuration files '''To see which SQL database is installed, run:''' grep DefaultDatabase $CPDIR/registry/HKLM_registry.data If the command returns the string PostgreSQL, the database is PostgreSQL. If the command returns another result, the database is MySQL. ==mysql database== username for mysql connections: RMSERVER password can me set in smartreporter gui under management > database maintenance > change database password mysql binary location: $RTDIR/Database/bin/mysql socket file: use as defined in $RTDIR/Database/conf/my.cnf example command to connect to local database $RTDIR/Database/bin/mysql -u RMSERVER -h localhost -p --socket=/opt/CPrt-R75.40/Database/mysql.sock ==postgresql== connecting to postgresql database $CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 rt_database ==rmdstop -server to stop [[category:loggin]] 194efe630d7306325766b01ff9896f621f1aaf19 643 642 2017-05-02T20:36:36Z Nighthawk 1 wikitext text/x-wiki ==databases and versions== SmartReporter Database Management This release can use one of these SQL databases: • MySQL - When you upgrade from R75.40 or earlier to R77, SmartReporter continues to use the legacy • MySQL database. In some cases, upgrading from R75.20 or R75.40 can also use MySQL. PostgreSQL - All new installations of SmartReporter, from R75.40VS and higher, use the PostgreSQL database. You do database management operations in these ways: • With the SmartReporter Database Maintenance view • With CLI commands. MySQL and PostgreSQL have different commands and procedures • Changing SmartReporter configuration files '''To see which SQL database is installed, run:''' grep DefaultDatabase $CPDIR/registry/HKLM_registry.data If the command returns the string PostgreSQL, the database is PostgreSQL. If the command returns another result, the database is MySQL. ==mysql database== username for mysql connections: RMSERVER password can me set in smartreporter gui under management > database maintenance > change database password mysql binary location: $RTDIR/Database/bin/mysql socket file: use as defined in $RTDIR/Database/conf/my.cnf example command to connect to local database $RTDIR/Database/bin/mysql -u RMSERVER -h localhost -p --socket=/opt/CPrt-R75.40/Database/mysql.sock ==postgresql== connecting to postgresql database CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 rt_database ==rmdstop -server to stop [[category:loggin]] 438c38f601c5de47bd9919ad997dea1968ac8de9 642 637 2017-05-02T05:38:15Z Nighthawk 1 wikitext text/x-wiki ==databases and versions== SmartReporter Database Management This release can use one of these SQL databases: • MySQL - When you upgrade from R75.40 or earlier to R77, SmartReporter continues to use the legacy • MySQL database. In some cases, upgrading from R75.20 or R75.40 can also use MySQL. PostgreSQL - All new installations of SmartReporter, from R75.40VS and higher, use the PostgreSQL database. You do database management operations in these ways: • With the SmartReporter Database Maintenance view • With CLI commands. MySQL and PostgreSQL have different commands and procedures • Changing SmartReporter configuration files '''To see which SQL database is installed, run:''' grep DefaultDatabase $CPDIR/registry/HKLM_registry.data If the command returns the string PostgreSQL, the database is PostgreSQL. If the command returns another result, the database is MySQL. ==mysql database== username for mysql connections: RMSERVER password can me set in smartreporter gui under management > database maintenance > change database password mysql binary location: $RTDIR/Database/bin/mysql socket file: use as defined in $RTDIR/Database/conf/my.cnf example command to connect to local database $RTDIR/Database/bin/mysql -u RMSERVER -h localhost -p --socket=/opt/CPrt-R75.40/Database/mysql.sock connecting to postgresql database $CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 rt_database ==rmdstop -server to stop [[category:loggin]] 71dbfa3b2f93bffabd4ab73e0d357ebc1f9bc273 637 634 2017-04-30T19:28:00Z Nighthawk 1 wikitext text/x-wiki ==databases and versions== SmartReporter Database Management This release can use one of these SQL databases: • MySQL - When you upgrade from R75.40 or earlier to R77, SmartReporter continues to use the legacy • MySQL database. In some cases, upgrading from R75.20 or R75.40 can also use MySQL. PostgreSQL - All new installations of SmartReporter, from R75.40VS and higher, use the PostgreSQL database. You do database management operations in these ways: • With the SmartReporter Database Maintenance view • With CLI commands. MySQL and PostgreSQL have different commands and procedures • Changing SmartReporter configuration files '''To see which SQL database is installed, run:''' grep DefaultDatabase $CPDIR/registry/HKLM_registry.data If the command returns the string PostgreSQL, the database is PostgreSQL. If the command returns another result, the database is MySQL. connecting to postgresql database $CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 rt_database ==rmdstop -server to stop [[category:loggin]] 8df0e800e55b741c1647b2d5a3b0fc3d7e24cc34 634 2017-04-30T01:55:58Z Nighthawk 1 Created page with " rmdstop -server to stop [[category:loggin]]" wikitext text/x-wiki rmdstop -server to stop [[category:loggin]] b95ea51d3b6665fcf47dd4ac228dbcaace3577e2 smartlog data path 0 222 702 2017-11-10T18:32:00Z Nighthawk 1 Created page with "r77 index paths... /var/log/opt/CPmds-R77/customers/<customer_name>/CPSmartLog-R77/data/ default data kept = 14 days" wikitext text/x-wiki r77 index paths... /var/log/opt/CPmds-R77/customers/<customer_name>/CPSmartLog-R77/data/ default data kept = 14 days 66e05e5fea3ef575b16bf5c27bceb8a1086bfccc smartupdate license repository commands 0 227 816 815 2018-06-23T12:51:33Z Nighthawk 1 /* cplic del - delete license from repo */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf =='''cplic db_print''' - Print licenses in database/repository== '''Description''' Displays the details of Check Point licenses stored in the license repository on the Security Management Server. cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] example: pretend there was a hardware failure, and RMA was performed, the new firewall is up and running backup config produced by clish "show configuration" as run on the failed device prior to failure. the backup config doesn't include the license. this is the job of the license repository/database on the management device (smartcenter or provider-1 CMA). however; it will show as attached to the firewall because that was the last license status before the failure. so, to "detach" it in the repo we can run the command as follows... [Expert@chkpmgr1:0]# '''cplic get chkpfw1''' Getting licenses from chkpfw1 ... chkpfw1: Retrieved 1 licenses Detached 1 licenses Removed 0 licenses =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> =='''cplic del''' - delete license from repo== '''WARNING - use with care! deleting a license from an online gateway can cause an outage.''' '''Description''' Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines cplic del [-F <output file>] <signature> <object name> [[category:license]] [[category:cli]] [[category:smartupdate]] c8576191d1f029dff8e9197361f700e2435426fd 815 814 2018-06-23T12:51:23Z Nighthawk 1 /* cplic del - delete license from repo */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf =='''cplic db_print''' - Print licenses in database/repository== '''Description''' Displays the details of Check Point licenses stored in the license repository on the Security Management Server. cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] example: pretend there was a hardware failure, and RMA was performed, the new firewall is up and running backup config produced by clish "show configuration" as run on the failed device prior to failure. the backup config doesn't include the license. this is the job of the license repository/database on the management device (smartcenter or provider-1 CMA). however; it will show as attached to the firewall because that was the last license status before the failure. so, to "detach" it in the repo we can run the command as follows... [Expert@chkpmgr1:0]# '''cplic get chkpfw1''' Getting licenses from chkpfw1 ... chkpfw1: Retrieved 1 licenses Detached 1 licenses Removed 0 licenses =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> =='''cplic del''' - delete license from repo== '''WARNING - use with care! deleting a license from an online gateway can cause an outage.''' '''Description''' Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines cplic del [-F <output file>] <signature> <object name> [[category:license]] [[category:cli]] [[category:smartupdate]] 67d7fafe23bd70b015a27371a429871a5ee306ca 814 813 2018-06-23T12:50:26Z Nighthawk 1 /* cplic get - retrieve/sync repo with remote gateways */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf =='''cplic db_print''' - Print licenses in database/repository== '''Description''' Displays the details of Check Point licenses stored in the license repository on the Security Management Server. cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] example: pretend there was a hardware failure, and RMA was performed, the new firewall is up and running backup config produced by clish "show configuration" as run on the failed device prior to failure. the backup config doesn't include the license. this is the job of the license repository/database on the management device (smartcenter or provider-1 CMA). however; it will show as attached to the firewall because that was the last license status before the failure. so, to "detach" it in the repo we can run the command as follows... [Expert@chkpmgr1:0]# '''cplic get chkpfw1''' Getting licenses from chkpfw1 ... chkpfw1: Retrieved 1 licenses Detached 1 licenses Removed 0 licenses =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> =='''cplic del''' - delete license from repo== '''Description''' Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines cplic del [-F <output file>] <signature> <object name> [[category:license]] [[category:cli]] [[category:smartupdate]] 9ba1b2b87872d255b80b259fd0758d7ddb2314eb 813 812 2018-06-23T12:49:32Z Nighthawk 1 /* cplic get - retrieve/sync repo with remote gateways */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf =='''cplic db_print''' - Print licenses in database/repository== '''Description''' Displays the details of Check Point licenses stored in the license repository on the Security Management Server. cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] example: pretend there was a hardware failure, and RMA was performed, the new firewall is up and running backup config produced by clish "show configuration" as run on the failed device prior to failure. the backup config doesn't include the license. this is the license repo of the management device (smartcenter or provider-1 CMA). however; it will show as attached to the firewall because that was the last license status before the failure. so, to "detach" it in the repo we can run the command as follows... [Expert@chkpmgr1:0]# '''cplic get chkpfw1''' Getting licenses from chkpfw1 ... chkpfw1: Retrieved 1 licenses Detached 1 licenses Removed 0 licenses =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> =='''cplic del''' - delete license from repo== '''Description''' Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines cplic del [-F <output file>] <signature> <object name> [[category:license]] [[category:cli]] [[category:smartupdate]] 1dc3609ac8f99a91e30bc5515289c574282a2b85 812 811 2018-06-23T12:48:47Z Nighthawk 1 /* cplic get - retrieve/sync repo with remote gateways */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf =='''cplic db_print''' - Print licenses in database/repository== '''Description''' Displays the details of Check Point licenses stored in the license repository on the Security Management Server. cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] example: pretend there was a hardware failure, and RMA was performed, the new firewall is up and running backup config produced by clish "show configuration" as run on the failed device prior to failure. the backup config doesn't include the license. this is the license repo of the management device (smartcenter or provider-1 CMA). however; it will show as attached to the firewall because that was the last license status before the failure. so, to "detach" it in the repo we can run the command as follows... &nbsp [Expert@chkpmgr1:0]# '''cplic get chkpfw1''' Getting licenses from chkpfw1 ... chkpfw1: Retrieved 1 licenses Detached 1 licenses Removed 0 licenses =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> =='''cplic del''' - delete license from repo== '''Description''' Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines cplic del [-F <output file>] <signature> <object name> [[category:license]] [[category:cli]] [[category:smartupdate]] d188725c96c9907783342e9732e0306ca80dcfa6 811 810 2018-06-23T12:48:31Z Nighthawk 1 /* cplic get - retrieve/sync repo with remote gateways */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf =='''cplic db_print''' - Print licenses in database/repository== '''Description''' Displays the details of Check Point licenses stored in the license repository on the Security Management Server. cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] example: pretend there was a hardware failure, and RMA was performed, the new firewall is up and running backup config produced by clish "show configuration" as run on the failed device prior to failure. the backup config doesn't include the license. this is the license repo of the management device (smartcenter or provider-1 CMA). however; it will show as attached to the firewall because that was the last license status before the failure. so, to "detach" it in the repo we can run the command as follows... &nbsp [Expert@chkpmgr1:0]# '''cplic get chkpfw1''' Getting licenses from chkpfw1 ... chkpfw1: Retrieved 1 licenses Detached 1 licenses Removed 0 licenses =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> =='''cplic del''' - delete license from repo== '''Description''' Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines cplic del [-F <output file>] <signature> <object name> [[category:license]] [[category:cli]] [[category:smartupdate]] 315039c0dec80e9d9961def83f64ad3d92fdf783 810 809 2018-06-23T12:47:51Z Nighthawk 1 /* cplic get - retrieve/sync repo with remote gateways */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf =='''cplic db_print''' - Print licenses in database/repository== '''Description''' Displays the details of Check Point licenses stored in the license repository on the Security Management Server. cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] >br>example: pretend there was a hardware failure, and RMA was performed, the new firewall is up and running backup config produced by clish "show configuration" as run on the failed device prior to failure. the backup config doesn't include the license. this is the license repo of the management device (smartcenter or provider-1 CMA). however; it will show as attached to the firewall because that was the last license status before the failure. so, to "detach" it in the repo we can run the command as follows... [Expert@chkpmgr1:0]# '''cplic get chkpfw1''' Getting licenses from chkpfw1 ... chkpfw1: Retrieved 1 licenses Detached 1 licenses Removed 0 licenses =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> =='''cplic del''' - delete license from repo== '''Description''' Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines cplic del [-F <output file>] <signature> <object name> [[category:license]] [[category:cli]] [[category:smartupdate]] 7d62fb16448a268ce123132bbb8c68cf78e0d845 809 808 2018-06-23T12:47:35Z Nighthawk 1 /* cplic get - retrieve/sync repo with remote gateways */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf =='''cplic db_print''' - Print licenses in database/repository== '''Description''' Displays the details of Check Point licenses stored in the license repository on the Security Management Server. cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] >br>example: pretend there was a hardware failure, and RMA was performed, the new firewall is up and running backup config produced by clish "show configuration" as run on the failed device prior to failure. the backup config doesn't include the license. this is the license repo of the management device (smartcenter or provider-1 CMA). however; it will show as attached to the firewall because that was the last license status before the failure. so, to "detach" it in the repo we can run the command as follows... [Expert@chkpmgr1:0]# '''cplic get chkpfw1''' &nbsp Getting licenses from chkpfw1 ... chkpfw1: Retrieved 1 licenses Detached 1 licenses Removed 0 licenses =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> =='''cplic del''' - delete license from repo== '''Description''' Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines cplic del [-F <output file>] <signature> <object name> [[category:license]] [[category:cli]] [[category:smartupdate]] 2e098c5c3a5f2b218044067b529d52d6087d8216 808 807 2018-06-23T12:46:15Z Nighthawk 1 /* cplic get - retrieve/sync repo with remote gateways */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf =='''cplic db_print''' - Print licenses in database/repository== '''Description''' Displays the details of Check Point licenses stored in the license repository on the Security Management Server. cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] >br>example: pretend there was a hardware failure, and RMA was performed, the new firewall is up and running backup config produced by clish "show configuration" as run on the failed device prior to failure. the backup config doesn't include the license. this is the license repo of the management device (smartcenter or provider-1 CMA). however; it will show as attached to the firewall because that was the last license status before the failure. so, to "detach" it in the repo we can run the command as follows... [Expert@chkpmgr1:0]# cplic get chkpfw1 Getting licenses from chkpfw1 ... chkpfw1: Retrieved 1 licenses Detached 1 licenses Removed 0 licenses =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> =='''cplic del''' - delete license from repo== '''Description''' Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines cplic del [-F <output file>] <signature> <object name> [[category:license]] [[category:cli]] [[category:smartupdate]] 5e2520ba6f3ea6689d9eecc917dabf2f2f7b98ea 807 806 2018-06-23T12:40:54Z Nighthawk 1 /* delete license from repo */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf =='''cplic db_print''' - Print licenses in database/repository== '''Description''' Displays the details of Check Point licenses stored in the license repository on the Security Management Server. cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> =='''cplic del''' - delete license from repo== '''Description''' Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines cplic del [-F <output file>] <signature> <object name> [[category:license]] [[category:cli]] [[category:smartupdate]] cca1b4c0ae33976c1040f20124c5b91c083468ea 806 805 2018-06-23T12:38:39Z Nighthawk 1 /* Print licenses in database/repository */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf =='''cplic db_print''' - Print licenses in database/repository== '''Description''' Displays the details of Check Point licenses stored in the license repository on the Security Management Server. cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> ==delete license from repo== '''Remove license from database''' cplic db_rm <signature> [[category:license]] 092c21154acda7339c9c71b9cac0e17b24966f71 805 804 2018-06-23T12:38:19Z Nighthawk 1 /* Print licenses in database/repository */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf ==Print licenses in database/repository== '''Description''' Displays the details of Check Point licenses stored in the license repository on the Security Management Server. cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> ==delete license from repo== '''Remove license from database''' cplic db_rm <signature> [[category:license]] fd7b2d77ba4f466dc582b5d21ed288d7cadd7518 804 803 2018-06-23T12:37:39Z Nighthawk 1 /* cplic db_add - add license to device or repository */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf ==Print licenses in database/repository== cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> ==delete license from repo== '''Remove license from database''' cplic db_rm <signature> [[category:license]] 40184e83a75b5f888f73a40a353a5853e6e82951 803 802 2018-06-23T12:37:16Z Nighthawk 1 /* add license to device or repository */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf ==Print licenses in database/repository== cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] =='''cplic db_add''' - add license to device or repository== '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. cplic db_add < -l license-file | host expiration-date signature SKU/features > =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> ==delete license from repo== '''Remove license from database''' cplic db_rm <signature> [[category:license]] 6cc964f3df3fd6cf466f28f971bafa35af5183fc 802 801 2018-06-23T12:36:41Z Nighthawk 1 /* cplic get - retrieve/sync repo with remote gateways */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf ==Print licenses in database/repository== cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] ==add license to device or repository== '''cplic db_add''' cplic db_add < -l license-file | host expiration-date signature SKU/features > '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. cplic get {<ipaddr>|<hostname>|-all} [-v41] =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> ==delete license from repo== '''Remove license from database''' cplic db_rm <signature> [[category:license]] d4428a70b8c6365f7d19a9ead6ce08e423d92549 801 800 2018-06-23T12:36:19Z Nighthawk 1 /* retrieve/sync repo with remote gateways */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf ==Print licenses in database/repository== cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] ==add license to device or repository== '''cplic db_add''' cplic db_add < -l license-file | host expiration-date signature SKU/features > '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. =='''cplic get''' - retrieve/sync repo with remote gateways== '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> ==delete license from repo== '''Remove license from database''' cplic db_rm <signature> [[category:license]] a086ffee550caa4ab3291e2c651d2cd43f99dc98 800 799 2018-06-23T12:35:53Z Nighthawk 1 /* add local or attach license remotely */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf ==Print licenses in database/repository== cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] ==add license to device or repository== '''cplic db_add''' cplic db_add < -l license-file | host expiration-date signature SKU/features > '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. ==retrieve/sync repo with remote gateways== '''cplic get''' '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. =='''cplic put''' - add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> ==delete license from repo== '''Remove license from database''' cplic db_rm <signature> [[category:license]] bcb084b7e427c9e2537df460df9dad9c1d20c275 799 798 2018-06-23T12:35:23Z Nighthawk 1 /* add local or attach license remotely */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf ==Print licenses in database/repository== cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] ==add license to device or repository== '''cplic db_add''' cplic db_add < -l license-file | host expiration-date signature SKU/features > '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. ==retrieve/sync repo with remote gateways== '''cplic get''' '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. ==add local or attach license remotely== '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> ==delete license from repo== '''Remove license from database''' cplic db_rm <signature> [[category:license]] 4f3f3823612693e31d1aa501ed37dcf28996f1f7 798 797 2018-06-23T12:35:03Z Nighthawk 1 /* add local or attach license remotely */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf ==Print licenses in database/repository== cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] ==add license to device or repository== '''cplic db_add''' cplic db_add < -l license-file | host expiration-date signature SKU/features > '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. ==retrieve/sync repo with remote gateways== '''cplic get''' '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. ==add local or attach license remotely== cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. ==delete license from repo== '''Remove license from database''' cplic db_rm <signature> [[category:license]] 68c44ca0daadb88bf98441437a4d10b4d62f87d6 797 796 2018-06-23T12:34:23Z Nighthawk 1 /* add local or attach license remotely */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf ==Print licenses in database/repository== cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] ==add license to device or repository== '''cplic db_add''' cplic db_add < -l license-file | host expiration-date signature SKU/features > '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. ==retrieve/sync repo with remote gateways== '''cplic get''' '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. ==add local or attach license remotely== cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. '''Remove license from database''' cplic db_rm <signature> [[category:license]] cac960317ebdbc3e9c3d465bcf5395cba02dd8fb 796 795 2018-06-23T12:33:58Z Nighthawk 1 /* add local or attach license remotely */ wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf ==Print licenses in database/repository== cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] ==add license to device or repository== '''cplic db_add''' cplic db_add < -l license-file | host expiration-date signature SKU/features > '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. ==retrieve/sync repo with remote gateways== '''cplic get''' '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. ==add local or attach license remotely== '''cplic put''' '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> '''Remove license from database''' cplic db_rm <signature> [[category:license]] 6da82159454d9eb0bdb556fb6b97839876dd564a 795 794 2018-06-23T12:32:41Z Nighthawk 1 wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf ==Print licenses in database/repository== cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] ==add license to device or repository== '''cplic db_add''' cplic db_add < -l license-file | host expiration-date signature SKU/features > '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. ==retrieve/sync repo with remote gateways== '''cplic get''' '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. ==add local or attach license remotely== '''cplic put''' '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> '''Remove license from database''' cplic db_rm <signature> [[category:license]] a93520b416c39f992e34b73150654bf09f587e24 794 793 2018-06-23T12:31:30Z Nighthawk 1 wikitext text/x-wiki License Database/repository Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf ==Print licenses in database/repository== cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] ==add license to device or repository== '''cplic db_add''' '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. ==retrieve/sync repo with remote gateways== '''cplic get''' '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. ==add local or attach license remotely== '''cplic put''' '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> '''Add license to database''' cplic db_add < -l license-file | host expiration-date signature SKU/features > '''Remove license from database''' cplic db_rm <signature> [[category:license]] 59e837f608775b8f2888d4d35a20ec3a9383980f 793 714 2018-06-23T12:28:44Z Nighthawk 1 wikitext text/x-wiki License Database Operations: taken from R77 CP_R77_CLI_ReferenceGuide.pdf '''Print licenses in database''' cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] '''cplic db_add''' '''Description''' Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''. '''cplic get''' '''Description ''' The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated. '''cplic put''' '''Description ''' Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated. cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature> '''Add license to database''' cplic db_add < -l license-file | host expiration-date signature SKU/features > '''Remove license from database''' cplic db_rm <signature> [[category:license]] a5caa916b0266cb65c916d6494b84315873a2953 714 713 2018-02-02T15:41:49Z Nighthawk 1 wikitext text/x-wiki License Database Operations: cplic db_add ... cplic db_rm <signature> cplic db_print <object name | -all> ... '''Add license to database''' cplic db_add < -l license-file | host expiration-date signature SKU/features > '''Remove license from database''' cplic db_rm <signature> '''Print licenses in database''' cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] [[category:license]] 977eaa9606a0974f8b7f788f478bbbc2c756a9ca 713 2018-02-02T15:41:27Z Nighthawk 1 Created page with "License Database Operations: cplic db_add ... cplic db_rm <signature> cplic db_print <object name | -all> ... '''Add license to database''' cplic db_add < -l license-file..." wikitext text/x-wiki License Database Operations: cplic db_add ... cplic db_rm <signature> cplic db_print <object name | -all> ... '''Add license to database''' cplic db_add < -l license-file | host expiration-date signature SKU/features > '''Remove license from database''' cplic db_rm <signature> ''' Print licenses in database''' cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached] [[category:license]] be12a8aac7459692fd372bf8476cad66c3811907 snmp 0 254 924 923 2024-07-08T20:56:55Z Nighthawk 1 wikitext text/x-wiki mib files location on check point device $CPDIR/lib/snmp/ ==mib descriptions and OID of interest== appliance model "svnApplianceProductName" "1.3.6.1.4.1.2620.1.6.16.7" get check point version "svnVersion" "1.3.6.1.4.1.2620.1.6.4.1" example: [Expert@chkpfw1:0]# '''snmpget -v2c -c public localhost 1.3.6.1.4.1.2620.1.6.4.1.0''' SNMPv2-SMI::enterprises.2620.1.6.4.1.0 = STRING: "R80.20" firewall connections $ '''snmptranslate -Tz -m CHECKPOINT-MIB | grep -i fwnumconn''' "fwNumConn" "1.3.6.1.4.1.2620.1.1.25.3" $ '''snmpget -v 2c -c public 10.0.0.254 1.3.6.1.4.1.2620.1.1.25.3.0''' SNMPv2-SMI::enterprises.2620.1.1.25.3.0 = Gauge32: 3310 [[category:snmp]] [[category:monitoring]] 6122ef03384c423ac6fa6d2df172d7568a315eaf 923 861 2024-07-08T20:53:59Z Nighthawk 1 wikitext text/x-wiki mib files location on check point device $CPDIR/lib/snmp/ ==mib descriptions and OID of interest== appliance model "svnApplianceProductName" "1.3.6.1.4.1.2620.1.6.16.7" get check point version "svnVersion" "1.3.6.1.4.1.2620.1.6.4.1" example: [Expert@chkpfw1:0]# '''snmpget -v2c -c public localhost 1.3.6.1.4.1.2620.1.6.4.1.0''' SNMPv2-SMI::enterprises.2620.1.6.4.1.0 = STRING: "R80.20" firewall connections $ '''snmptranslate -Tz -m CHECKPOINT-MIB | grep -i fwnumconn''' "fwNumConn" "1.3.6.1.4.1.2620.1.1.25.3" $ '''snmpget -v 2c -c public 10.0.0.254 1.3.6.1.4.1.2620.1.1.25.3.0''' SNMPv2-SMI::enterprises.2620.1.1.25.3.0 = Gauge32: 3310 [[category:snmp]] [[category:monitoring]] 36ab182791544afcea976fd471002e01adeaf4a8 861 839 2021-04-15T18:39:38Z Nighthawk 1 wikitext text/x-wiki mib files location on check point device $CPDIR/lib/snmp/ ==mib descriptions and OID of interest== appliance model "svnApplianceProductName" "1.3.6.1.4.1.2620.1.6.16.7" get check point version "svnVersion" "1.3.6.1.4.1.2620.1.6.4.1" example: [Expert@chkpfw1:0]# '''snmpget -v2c -c public localhost 1.3.6.1.4.1.2620.1.6.4.1.0''' SNMPv2-SMI::enterprises.2620.1.6.4.1.0 = STRING: "R80.20" [[category:snmp]] [[category:monitoring]] 0c0a90b9dd04488802971cac095340b11220be86 839 2020-06-19T16:55:32Z Nighthawk 1 Created page with "mib files location $CPDIR/lib/snmp/ translating to/from OIDs and mib descriptions $ snmptranslate -Tz | grep -i <description | OID> [[category:snmp]] [[category:monitoring]]" wikitext text/x-wiki mib files location $CPDIR/lib/snmp/ translating to/from OIDs and mib descriptions $ snmptranslate -Tz | grep -i <description | OID> [[category:snmp]] [[category:monitoring]] 6c9c2e32088961b65cb157dc9ee7a310094888c5 snmp-extend to run custom script 0 257 862 850 2021-04-21T02:31:00Z Nighthawk 1 wikitext text/x-wiki 1) Create a script/command that monitors something on your system and output the result to stdout. example script: /usr/local/bin/check_everything.sh outputs either... STATUS: OK - everything good or STATUS: NOT OK! 2) Create entry in the SNMP config to the monitor script: # vi /etc/snmp/userDefinedSettings.conf add a line... extend everything_status /bin/sh /usr/local/bin/check_everything.sh 3) restart snmpd from clish, run "set snmp agent off" then run "set snmp agent on" 4) test it with a walk $ snmpwalk -On -v2c -c mycomstring 192.168.1.1 NET-SNMP-EXTEND-MIB::nsExtendObjects .1.3.6.1.4.1.8072.1.3.2.1.0 = INTEGER: 1 .1.3.6.1.4.1.8072.1.3.2.2.1.2.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: /bin/sh .1.3.6.1.4.1.8072.1.3.2.2.1.3.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: /usr/local/bin/check_everything.sh .1.3.6.1.4.1.8072.1.3.2.2.1.4.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: .1.3.6.1.4.1.8072.1.3.2.2.1.5.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: 5 .1.3.6.1.4.1.8072.1.3.2.2.1.6.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: exec(1) .1.3.6.1.4.1.8072.1.3.2.2.1.7.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: run-on-read(1) .1.3.6.1.4.1.8072.1.3.2.2.1.20.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: permanent(4) .1.3.6.1.4.1.8072.1.3.2.2.1.21.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: active(1) .1.3.6.1.4.1.8072.1.3.2.3.1.1.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: STATUS: OK - everything good .1.3.6.1.4.1.8072.1.3.2.3.1.2.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: STATUS: OK - everything good .1.3.6.1.4.1.8072.1.3.2.3.1.3.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: 1 .1.3.6.1.4.1.8072.1.3.2.3.1.4.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: 0 .1.3.6.1.4.1.8072.1.3.2.4.1.2.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115.1 = STRING: STATUS: OK - everything good with a get $ snmpget -v 2c -c mycomstring 192.168.1.1 .1.3.6.1.4.1.8072.1.3.2.4.1.2.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115.1 NET-SNMP-EXTEND-MIB::nsExtendOutLine."fwpolicy_status".1 = STRING: STATUS: OK - everything good 19e2e1a38ae50936d1953bf4cb21dfee1011029b 850 2021-02-24T12:42:42Z Nighthawk 1 Created page with "1) Create a script/command that monitors something on your system and output the result to stdout. example script: /usr/local/bin/check_everything.sh outputs eit..." wikitext text/x-wiki 1) Create a script/command that monitors something on your system and output the result to stdout. example script: /usr/local/bin/check_everything.sh outputs either... STATUS: OK - everything good or STATUS: NOT OK! 2) Create entry in the SNMP config to monitor the script: # vi /etc/snmp/userDefinedSettings.conf add a line... extend everything_status /bin/sh /usr/local/bin/check_everything.sh 3) restart snmpd from clish, run "set snmp agent off" then run "set snmp agent on" 4) test it with a walk $ snmpwalk -On -v2c -c mycomstring 192.168.1.1 NET-SNMP-EXTEND-MIB::nsExtendObjects .1.3.6.1.4.1.8072.1.3.2.1.0 = INTEGER: 1 .1.3.6.1.4.1.8072.1.3.2.2.1.2.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: /bin/sh .1.3.6.1.4.1.8072.1.3.2.2.1.3.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: /usr/local/bin/check_everything.sh .1.3.6.1.4.1.8072.1.3.2.2.1.4.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: .1.3.6.1.4.1.8072.1.3.2.2.1.5.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: 5 .1.3.6.1.4.1.8072.1.3.2.2.1.6.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: exec(1) .1.3.6.1.4.1.8072.1.3.2.2.1.7.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: run-on-read(1) .1.3.6.1.4.1.8072.1.3.2.2.1.20.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: permanent(4) .1.3.6.1.4.1.8072.1.3.2.2.1.21.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: active(1) .1.3.6.1.4.1.8072.1.3.2.3.1.1.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: STATUS: OK - everything good .1.3.6.1.4.1.8072.1.3.2.3.1.2.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: STATUS: OK - everything good .1.3.6.1.4.1.8072.1.3.2.3.1.3.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: 1 .1.3.6.1.4.1.8072.1.3.2.3.1.4.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: 0 .1.3.6.1.4.1.8072.1.3.2.4.1.2.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115.1 = STRING: STATUS: OK - everything good with a get $ snmpget -v 2c -c mycomstring 192.168.1.1 .1.3.6.1.4.1.8072.1.3.2.4.1.2.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115.1 NET-SNMP-EXTEND-MIB::nsExtendOutLine."fwpolicy_status".1 = STRING: STATUS: OK - everything good 3a444ddcab18a345bdea5270405787cde3427902 ssh tunneling r80.x smartconsole GUI 0 247 828 2019-05-09T04:29:27Z Nighthawk 1 Created page with "==disclaimer== this is not a recommended or secure configuration for production systems! ==sshd_config== modify the line AllowTcpForwarding no to AllowTcpForwarding ye..." wikitext text/x-wiki ==disclaimer== this is not a recommended or secure configuration for production systems! ==sshd_config== modify the line AllowTcpForwarding no to AllowTcpForwarding yes and restart sshd /etc/init.d/sshd restart ==ssh tunnel commands== Main GUI connection - port 19009 # ssh -f -N -L <relay_host>:19009:<r80_mgmt_svr>:19009 username@<r80_mgmt_svr> CRL download - port 18264 # ssh -f -N -L <relay_host>:18264:<r80_mgmt_svr>:18264 username@<r80_mgmt_svr> ICA connection - port 18190 - needed for manipulating objects which have SIC attributes # ssh -f -N -L <relay_host>:18190:<r80_mgmt_svr>:18190 username@<r80_mgmt_svr> ==GUI connection== lauch the smartconsole and specify the <relay_host> ip or hostname as the destination 8545818d5326d57a69aafb60811faa2c69054975 ssl network extender on gentoo linux 0 161 579 556 2016-04-26T01:49:46Z Nighthawk 1 wikitext text/x-wiki This page describes how to get the ssl extender SNX client up and running on a linux box. This is alternative to running the Secure Remote or Mobile client on a winblows box to establih a client to gateway vpn. For configure the SSL Network Extender server, please see the VPN Administration Guide for you version of Check Point. == install a java runtime environment JRE == google it if ya need to... == downloading snx == if you can find it on the support website, download it. I found it once, but had trouble finding it again. An alternative is to download it from the SSL gateway. After logging into your gateway via web browser, click on settings [[file:snx-1.png]] Then you will hopefully find a download link like this... [[file:snx-2.png]] == install SNX == run the install file. It put a binary in /usr/bin/snx for me. The SSL gateway will likely download and try to install it for you. You may see a screen like... [[file:snx-3]] Then provide your root password and it should install for you. == test run snx == Often you will receive a "failed to initialize" error message when trying to connect. If so, run it from CLI to see what error messages you get. $ snx snx: error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory gentoo $ sudo emerge -av --quiet sys-libs/libstdc++-v3 for debian or ubuntu, if you can find the package... $ dpkg -i libstdc++5_3.3.6-17ubuntu1_i386.deb when if works, you should be able to run it and it will give you a help message like.. $ snx failed to open file: /home/john/.snxrc Valid attributes are: - server SNX server to connet to - sslport The SNX SSL port (if not default) - username the user name - certificate certificate file to use - calist directory containing CA files - reauth enable automatic reauthentication. Valid values { yes, no } - debug enable debug output. Valid values { yes, 1-5 } - cipher encryption algorithm to use. Valid values { RC4 / 3DES } - proxy_name proxy hostname - proxy_port proxy port - proxy_user username for proxy authentication == connect to SSL gateway == Once connected you should see something like this... [[file:snx-4.png]] and see a tun interface on you box. So, your client linux kernel must support creating tun interfaces to. # ifconfig tunsnx /vol1/distfiles tunsnx: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 172.16.10.41 netmask 255.255.255.255 destination 172.16.10.40 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1551 bytes 135768 (132.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Ready to use your vpn! == links == I found this very helpful... [http://www.linuxplanet.org/blogs/?cat=2475 Check Point SSL Network Extender] [[category:vpn]] 556 439 2015-03-11T16:37:58Z Nighthawk 1 /* test run snx */ wikitext text/x-wiki This page describes how to get the ssl extender SNX client up and running on a linux box. This is alternative to running the Secure Remote or Mobile client on a winblows box to establih a client to gateway vpn. For configure the SSL Network Extender server, please see the VPN Administration Guide for you version of Check Point. == install a java runtime environment JRE == google it if ya need to... == downloading snx == if you can find it on the support website, download it. I found it once, but had trouble finding it again. An alternative is to download it from the SSL gateway. After logging into your gateway via web browser, click on settings [[file:snx-1.png]] Then you will hopefully find a download link like this... [[file:snx-2.png]] == install SNX == run the install file. It put a binary in /usr/bin/snx for me. The SSL gateway will likely download and try to install it for you. You may see a screen like... [[file:snx-3]] Then provide your root password and it should install for you. == test run snx == Often you will receive a "failed to initialize" error message when trying to connect. If so, run it from CLI to see what error messages you get. $ snx snx: error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory gentoo $ sudo emerge -av --quiet sys-libs/libstdc++-v3 for debian or ubuntu, if you can find the package... $ dpkg -i libstdc++5_3.3.6-17ubuntu1_i386.deb when if works, you should be able to run it and it will give you a help message like.. $ snx failed to open file: /home/john/.snxrc Valid attributes are: - server SNX server to connet to - sslport The SNX SSL port (if not default) - username the user name - certificate certificate file to use - calist directory containing CA files - reauth enable automatic reauthentication. Valid values { yes, no } - debug enable debug output. Valid values { yes, 1-5 } - cipher encryption algorithm to use. Valid values { RC4 / 3DES } - proxy_name proxy hostname - proxy_port proxy port - proxy_user username for proxy authentication == connect to SSL gateway == Once connected you should see something like this... [[file:snx-4]] and see a tun interface on you box. So, your client linux kernel must support creating tun interfaces to. # ifconfig tunsnx /vol1/distfiles tunsnx: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 172.16.10.41 netmask 255.255.255.255 destination 172.16.10.40 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1551 bytes 135768 (132.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Ready to use your vpn! == links == I found this very helpful... [http://www.linuxplanet.org/blogs/?cat=2475 Check Point SSL Network Extender] [[category:vpn]] 439 438 2014-05-06T04:50:41Z Nighthawk 1 wikitext text/x-wiki This page describes how to get the ssl extender SNX client up and running on a linux box. This is alternative to running the Secure Remote or Mobile client on a winblows box to establih a client to gateway vpn. For configure the SSL Network Extender server, please see the VPN Administration Guide for you version of Check Point. == install a java runtime environment JRE == google it if ya need to... == downloading snx == if you can find it on the support website, download it. I found it once, but had trouble finding it again. An alternative is to download it from the SSL gateway. After logging into your gateway via web browser, click on settings [[file:snx-1.png]] Then you will hopefully find a download link like this... [[file:snx-2.png]] == install SNX == run the install file. It put a binary in /usr/bin/snx for me. The SSL gateway will likely download and try to install it for you. You may see a screen like... [[file:snx-3]] Then provide your root password and it should install for you. == test run snx == Often you will receive a "failed to initialize" error message when trying to connect. If so, run it from CLI to see what error messages you get. $ snx ~/src/checkpoint snx: error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory gentoo $ sudo emerge -av --quiet sys-libs/libstdc++-v3 for debian or ubuntu, if you can find the package... $ dpkg -i libstdc++5_3.3.6-17ubuntu1_i386.deb when if works, you should be able to run it and it will give you a help message like.. $ snx failed to open file: /home/john/.snxrc Valid attributes are: - server SNX server to connet to - sslport The SNX SSL port (if not default) - username the user name - certificate certificate file to use - calist directory containing CA files - reauth enable automatic reauthentication. Valid values { yes, no } - debug enable debug output. Valid values { yes, 1-5 } - cipher encryption algorithm to use. Valid values { RC4 / 3DES } - proxy_name proxy hostname - proxy_port proxy port - proxy_user username for proxy authentication == connect to SSL gateway == Once connected you should see something like this... [[file:snx-4]] and see a tun interface on you box. So, your client linux kernel must support creating tun interfaces to. # ifconfig tunsnx /vol1/distfiles tunsnx: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 172.16.10.41 netmask 255.255.255.255 destination 172.16.10.40 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1551 bytes 135768 (132.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Ready to use your vpn! == links == I found this very helpful... [http://www.linuxplanet.org/blogs/?cat=2475 Check Point SSL Network Extender] [[category:vpn]] 438 436 2014-05-06T04:43:02Z Nighthawk 1 wikitext text/x-wiki == install a java runtime environment JRE == == downloading snx == if you can find it on the support website, download it. I found it once, but had trouble finding it again. An alternative is to download it from the SSL gateway. After logging into your gateway via web browser, click on settings [[file:snx-1.png]] Then you will hopefully find a download link like this... [[file:snx-2.png]] == install SNX == run the install file. It put a binary in /usr/bin/snx for me. The SSL gateway will likely download and try to install it for you. You may see a screen like... [[file:snx-3]] Then provide your root password and it should install for you. == test run snx == Often you will receive a "failed to initialize" error message when trying to connect. If so, run it from CLI to see what error messages you get. $ snx ~/src/checkpoint snx: error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory gentoo $ sudo emerge -av --quiet sys-libs/libstdc++-v3 for debian or ubuntu, if you can find the package... $ dpkg -i libstdc++5_3.3.6-17ubuntu1_i386.deb when if works, you should be able to run it and it will give you a help message like.. $ snx failed to open file: /home/john/.snxrc Valid attributes are: - server SNX server to connet to - sslport The SNX SSL port (if not default) - username the user name - certificate certificate file to use - calist directory containing CA files - reauth enable automatic reauthentication. Valid values { yes, no } - debug enable debug output. Valid values { yes, 1-5 } - cipher encryption algorithm to use. Valid values { RC4 / 3DES } - proxy_name proxy hostname - proxy_port proxy port - proxy_user username for proxy authentication == connect to SSL gateway == Once connected you should see something like this... [[file:snx-4]] and see a tun interface on you box. So, your client linux kernel must support creating tun interfaces to. # ifconfig tunsnx /vol1/distfiles tunsnx: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 172.16.10.41 netmask 255.255.255.255 destination 172.16.10.40 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1551 bytes 135768 (132.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Ready to use your vpn! == links == I found this very helpful... [http://www.linuxplanet.org/blogs/?cat=2475 Check Point SSL Network Extender] [[category:vpn]] 436 2014-05-06T04:36:20Z Nighthawk 1 Created page with " == install a java runtime environment JRE == == downloading snx == if you can find it on the support website, download it. I found it once, but had trouble finding it again..." wikitext text/x-wiki == install a java runtime environment JRE == == downloading snx == if you can find it on the support website, download it. I found it once, but had trouble finding it again. An alternative is to download it from the SSL gateway. After logging into your gateway via web browser, click on settings [[file:snx-1.png]] Then you will hopefully find a download link like this... [[file:snx-2.png]] == install SNX == run the install file. It put a binary in /usr/bin/snx for me. The SSL gateway will likely download and try to install it for you. You may see a screen like... [[file:snx-3]] Then provide your root password and it should install for you. == test run snx == Often you will receive a "failed to initialize" error message when trying to connect. If so, run it from CLI to see what error messages you get. $ snx ~/src/checkpoint snx: error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory gentoo $ sudo emerge -av --quiet sys-libs/libstdc++-v3 for debian or ubuntu, if you can find the package... $ dpkg -i libstdc++5_3.3.6-17ubuntu1_i386.deb when if works, you should be able to run it and it will give you a help message like.. $ snx failed to open file: /home/john/.snxrc Valid attributes are: - server SNX server to connet to - sslport The SNX SSL port (if not default) - username the user name - certificate certificate file to use - calist directory containing CA files - reauth enable automatic reauthentication. Valid values { yes, no } - debug enable debug output. Valid values { yes, 1-5 } - cipher encryption algorithm to use. Valid values { RC4 / 3DES } - proxy_name proxy hostname - proxy_port proxy port - proxy_user username for proxy authentication [[category:vpn]] uninstalling check point products 0 117 220 219 2013-09-13T06:48:22Z Nighthawk 1 /* list installed Check Point RPMs */ wikitext text/x-wiki == list installed Check Point RPMs == [Expert@chkpfw1]# '''rpm -qa |grep -i ^cp| sort''' CPbackup-1-620000044 CPinfo-10-00 CPportal-R75.40-00 CPshell-1-986000015 CPsplatIS-R75.40-00 CPsuite-R75.40-00 cp-release-540-R75.40 cpio-2.5-3cp == Uninstall in reverse order of dependencies == [Expert@chkpfw1]# '''rpm -e CPportal-R75.40-00''' There are no packages dependent on: Check Point Management Portal R75.40. ******************************************* IMPORTANT: You must REBOOT the machine !!!! ******************************************* ***************************************************************** Check Point Management Portal R75.40 uninstall complete. ***************************************************************** [Expert@chkpfw1]# '''rpm -e CPinfo-10-00''' There are no packages dependent on: Check Point CPinfo. ************************************** Check Point CPinfo uninstall complete. ************************************** [Expert@chkpfw1]# '''rpm -e CPsuite-R75.40-00''' There are no packages dependent on: Check Point R75.40. ******************************* Stopping Check Point Processes. ******************************* ***************************************************** IMPORTANT: You must REBOOT the machine !!!! ***************************************************** ***************************************** Check Point R75.40 uninstall complete. ***************************************** == Re-install products with sysconfig == sysconfig Choose a configuration item ('e' to exit): ------------------------------------------------------------------ 1) Host name 7) DHCP Server Configuration 2) Domain name 8) DHCP Relay Configuration 3) Domain name servers 9) Export Setup 4) Time and Date 10) Products Installation 5) Network Connections 11) Products Configuration 6) Routing 12) Hardware Monitoring ------------------------------------------------------------------ Welcome sceen... hit N for Next license agreement... hit Y for Yes 1 (*) New Installation 2 ( ) Installation Using Imported Configuration ... you can figure it out from here 219 218 2013-09-13T06:48:06Z Nighthawk 1 /* Re-install products with sysconfig */ wikitext text/x-wiki == list installed Check Point RPMs == [Expert@chkpfw1]# '''rpm -qa |grep -i ^cp| sort''' CPbackup-1-620000044 CPinfo-10-00 CPportal-R75.40-00 CPshell-1-986000015 CPsplatIS-R75.40-00 CPsuite-R75.40-00 cp-release-540-R75.40 cpio-2.5-3cp == Uninstall in reverse order of dependencies == [Expert@chkpfw1]# '''rpm -e CPportal-R75.40-00''' There are no packages dependent on: Check Point Management Portal R75.40. ******************************************* IMPORTANT: You must REBOOT the machine !!!! ******************************************* ***************************************************************** Check Point Management Portal R75.40 uninstall complete. ***************************************************************** [Expert@chkpfw1]# '''rpm -e CPinfo-10-00''' There are no packages dependent on: Check Point CPinfo. ************************************** Check Point CPinfo uninstall complete. ************************************** [Expert@chkpfw1]# '''rpm -e CPsuite-R75.40-00''' There are no packages dependent on: Check Point R75.40. ******************************* Stopping Check Point Processes. ******************************* ***************************************************** IMPORTANT: You must REBOOT the machine !!!! ***************************************************** ***************************************** Check Point R75.40 uninstall complete. ***************************************** == Re-install products with sysconfig == sysconfig Choose a configuration item ('e' to exit): ------------------------------------------------------------------ 1) Host name 7) DHCP Server Configuration 2) Domain name 8) DHCP Relay Configuration 3) Domain name servers 9) Export Setup 4) Time and Date 10) Products Installation 5) Network Connections 11) Products Configuration 6) Routing 12) Hardware Monitoring ------------------------------------------------------------------ Welcome sceen... hit N for Next license agreement... hit Y for Yes 1 (*) New Installation 2 ( ) Installation Using Imported Configuration ... you can figure it out from here 218 217 2013-09-13T06:47:16Z Nighthawk 1 wikitext text/x-wiki == list installed Check Point RPMs == [Expert@chkpfw1]# '''rpm -qa |grep -i ^cp| sort''' CPbackup-1-620000044 CPinfo-10-00 CPportal-R75.40-00 CPshell-1-986000015 CPsplatIS-R75.40-00 CPsuite-R75.40-00 cp-release-540-R75.40 cpio-2.5-3cp == Uninstall in reverse order of dependencies == [Expert@chkpfw1]# '''rpm -e CPportal-R75.40-00''' There are no packages dependent on: Check Point Management Portal R75.40. ******************************************* IMPORTANT: You must REBOOT the machine !!!! ******************************************* ***************************************************************** Check Point Management Portal R75.40 uninstall complete. ***************************************************************** [Expert@chkpfw1]# '''rpm -e CPinfo-10-00''' There are no packages dependent on: Check Point CPinfo. ************************************** Check Point CPinfo uninstall complete. ************************************** [Expert@chkpfw1]# '''rpm -e CPsuite-R75.40-00''' There are no packages dependent on: Check Point R75.40. ******************************* Stopping Check Point Processes. ******************************* ***************************************************** IMPORTANT: You must REBOOT the machine !!!! ***************************************************** ***************************************** Check Point R75.40 uninstall complete. ***************************************** == Re-install products with sysconfig == sysconfig Choose a configuration item ('e' to exit): ------------------------------------------------------------------ 1) Host name 7) DHCP Server Configuration 2) Domain name 8) DHCP Relay Configuration 3) Domain name servers 9) Export Setup 4) Time and Date 10) Products Installation 5) Network Connections 11) Products Configuration 6) Routing 12) Hardware Monitoring ------------------------------------------------------------------ Welcome sceen... hit N for Next license agreement... hit Y for Yes 1 (*) New Installation 2 ( ) Installation Using Imported Configuration 217 2013-09-13T06:44:42Z Nighthawk 1 Created page with " == list installed Check Point RPMs == [Expert@chkpfw1]# '''rpm -qa |grep -i ^cp| sort''' CPbackup-1-620000044 CPinfo-10-00 CPportal-R75.40-00 CPshell-1-986000015 CPsplatIS..." wikitext text/x-wiki == list installed Check Point RPMs == [Expert@chkpfw1]# '''rpm -qa |grep -i ^cp| sort''' CPbackup-1-620000044 CPinfo-10-00 CPportal-R75.40-00 CPshell-1-986000015 CPsplatIS-R75.40-00 CPsuite-R75.40-00 cp-release-540-R75.40 cpio-2.5-3cp == Uninstall in reverse order of dependencies == [Expert@chkpfw1]# '''rpm -e CPportal-R75.40-00''' There are no packages dependent on: Check Point Management Portal R75.40. ******************************************* IMPORTANT: You must REBOOT the machine !!!! ******************************************* ***************************************************************** Check Point Management Portal R75.40 uninstall complete. ***************************************************************** [Expert@chkpfw1]# '''rpm -e CPinfo-10-00''' There are no packages dependent on: Check Point CPinfo. ************************************** Check Point CPinfo uninstall complete. ************************************** [Expert@chkpfw1]# '''rpm -e CPsuite-R75.40-00''' There are no packages dependent on: Check Point R75.40. ******************************* Stopping Check Point Processes. ******************************* ***************************************************** IMPORTANT: You must REBOOT the machine !!!! ***************************************************** ***************************************** Check Point R75.40 uninstall complete. ***************************************** == Re-install products with sysconfig == sysconfig Choose a configuration item ('e' to exit): ------------------------------------------------------------------ 1) Host name 7) DHCP Server Configuration 2) Domain name 8) DHCP Relay Configuration 3) Domain name servers 9) Export Setup 4) Time and Date 10) Products Installation 5) Network Connections 11) Products Configuration 6) Routing 12) Hardware Monitoring ------------------------------------------------------------------ Welcome sceen... hit N for Next license agreement... hit Y for Yes 1 (*) New Installation 2 ( ) Installation Using Imported Configuration verify gaia vrrp preempt mode 0 201 608 2016-11-14T20:20:31Z Nighthawk 1 Created page with "<src> [Expert@chkpfw1:0]# clish -c "show configuration" | grep preempt | awk '{print $(NF-1), $NF}' preempt-mode off </src>" wikitext text/x-wiki <src> [Expert@chkpfw1:0]# clish -c "show configuration" | grep preempt | awk '{print $(NF-1), $NF}' preempt-mode off </src> 49b193f2115f83dfa0fd5ef0c7ba9a0fa1dd84d1 viewing CoreXL statistics 0 103 198 187 2013-07-23T16:34:05Z Nighthawk 1 wikitext text/x-wiki The following command displays status of CoreXL instances and summary for traffic that passes through each instance (current number and peak number of concurrent connections # '''fw ctl multik stat''' ID | Active | CPU | Connections | Peak ------------------------------------------- 0 | Yes | 5 | 2250 | 6165 1 | Yes | 4 | 2952 | 4677 2 | Yes | 3 | 2813 | 4337 [Expert@chkpfw]# fw ctl affinity -l -v Kernel fw_0: CPU 5 Kernel fw_1: CPU 4 Kernel fw_2: CPU 3 [[category:corexl]] 187 186 2013-07-19T14:24:14Z Nighthawk 1 wikitext text/x-wiki The following command displays status of CoreXL instances and summary for traffic that passes through each instance (current number and peak number of concurrent connections # '''fw ctl multik stat''' [[category:corexl]] 186 2013-07-19T14:24:02Z Nighthawk 1 Created page with "The following command displays status of CoreXL instances and summary for traffic that passes through each instance (current number and peak number of concurrent connections ..." wikitext text/x-wiki The following command displays status of CoreXL instances and summary for traffic that passes through each instance (current number and peak number of concurrent connections # fw ctl multik stat [[category:corexl]] vmware nsx notes 0 250 834 833 2019-08-16T15:44:42Z Nighthawk 1 wikitext text/x-wiki =NSX-T= ==Tier-0 Gateways== A tier-0 gateway performs the functions of a tier-0 logical router. It processes traffic between the logical and physical networks. An Edge node can support only one tier-0 gateway or logical router. ==documentation== [https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html VMware NSX-T Data Center Documentation] [[category:vmware]] 12227960544056a98ab695c597fef1d57de12148 833 2019-08-16T13:43:43Z Nighthawk 1 Created page with "=NSX-T= ==Tier-0 Gateways== A tier-0 gateway performs the functions of a tier-0 logical router. It processes traffic between the logical and physical networks. An Edge node c..." wikitext text/x-wiki =NSX-T= ==Tier-0 Gateways== A tier-0 gateway performs the functions of a tier-0 logical router. It processes traffic between the logical and physical networks. An Edge node can support only one tier-0 gateway or logical router. 4db94234edf91a9cb5c91612a6ffdbe0272aaa2c vsx notes 0 270 922 921 2024-07-03T14:25:54Z Nighthawk 1 wikitext text/x-wiki ==performance optimization== concurrent connections sizing - automatic setting not available for VSX. this must be hard coded and monitored. ==troubleshooting== show status [Expert@MyVsxGW:2]# '''vsx stat -v''' VSX Gateway Status ================== Name: VSX1_192.168.3.241 Access Control Policy: VSX_Cluster_VSX Installed at: 20Sep2019 22:06:33 Threat Prevention Policy: <No Policy> SIC Status: Trust Number of Virtual Systems allowed by license: 25 Virtual Systems [active / configured]: 2 / 2 Virtual Routers and Switches [active / configured]: 0 / 0 Total connections [current / limit]: 5 / 44700 Virtual Devices Status ====================== ID | Type & Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC Stat -----+-------------+-----------------------+-----------------+--------------------------+--------- 1 | S VS1 | VS_Policy | 20Sep2019 22:07 | <No Policy> | Trust 2 | S VS2 | VS_Policy | 20Sep2019 22:07 | <No Policy> | Trust set the context to the appropriate Virtual System with "vsenv <ID|name> # '''vsenv 2''' get interfaces # '''fw getifs''' 1621f51c15a6806fbf2db1dd24216936ae3998fb 921 920 2024-07-03T03:57:42Z Nighthawk 1 wikitext text/x-wiki ==troubleshooting== show status [Expert@MyVsxGW:2]# '''vsx stat -v''' VSX Gateway Status ================== Name: VSX1_192.168.3.241 Access Control Policy: VSX_Cluster_VSX Installed at: 20Sep2019 22:06:33 Threat Prevention Policy: <No Policy> SIC Status: Trust Number of Virtual Systems allowed by license: 25 Virtual Systems [active / configured]: 2 / 2 Virtual Routers and Switches [active / configured]: 0 / 0 Total connections [current / limit]: 5 / 44700 Virtual Devices Status ====================== ID | Type & Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC Stat -----+-------------+-----------------------+-----------------+--------------------------+--------- 1 | S VS1 | VS_Policy | 20Sep2019 22:07 | <No Policy> | Trust 2 | S VS2 | VS_Policy | 20Sep2019 22:07 | <No Policy> | Trust set the context to the appropriate Virtual System with "vsenv <ID|name> # '''vsenv 2''' get interfaces # '''fw getifs''' ead9d6cec8eaf32d0cfecdd5b575d73f41b49cca 920 2024-07-03T03:50:29Z Nighthawk 1 Created page with " ==troubleshooting== show status [Expert@MyVsxGW:2]# '''vsx stat -v''' VSX Gateway Status ================== Name: VSX1_192.168.3.241 Access Control Policy: VSX_Clust..." wikitext text/x-wiki ==troubleshooting== show status [Expert@MyVsxGW:2]# '''vsx stat -v''' VSX Gateway Status ================== Name: VSX1_192.168.3.241 Access Control Policy: VSX_Cluster_VSX Installed at: 20Sep2019 22:06:33 Threat Prevention Policy: <No Policy> SIC Status: Trust Number of Virtual Systems allowed by license: 25 Virtual Systems [active / configured]: 2 / 2 Virtual Routers and Switches [active / configured]: 0 / 0 Total connections [current / limit]: 5 / 44700 Virtual Devices Status ====================== ID | Type & Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC Stat -----+-------------+-----------------------+-----------------+--------------------------+--------- 1 | S VS1 | VS_Policy | 20Sep2019 22:07 | <No Policy> | Trust 2 | S VS2 | VS_Policy | 20Sep2019 22:07 | <No Policy> | Trust 4fd104c3e3b154e2f75e0a1bd2f08f4cec712535 yum installation on secureplatform 0 107 576 312 2016-03-31T17:56:06Z Nighthawk 1 wikitext text/x-wiki ==versions== this guide was written for SPLAT, I think the version was... splat(75.40) glibc = glibc-2.3.2-95.34cp Gaia has a newer glibc and will need a different set of RPS from 5.1 centos (i think) to get the same objective done. gaia77.30 glibc = glibc-2.5-18.1.cp738000011 == Installing yum == Command log / list of my successful yum installation on SecurePlatform. It was truly an "rpm hell" experience to determine the required list of rpms and dependencies below. But, that is why I was installing yum... so that I only have to wade through RPM hell one time. If I ever do it again I can clean this command list up, change the order, and eliminate some of the errors. installed this library, from a centos 3.8 installation (I think) # scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ # rpm -ivh ./info-4.5-3.el3.1.i386.rpm # rpm -ivh ./readline-4.3-5.2.i386.rpm # rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm # file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp # rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm # rpm -ivh ./gmp-4.1.2-5.i386.rpm # rpm -ivh python-2.2.3-6.6.i386.rpm # rpm -ivh ./libxml2-2.5.10-7.i386.rpm # rpm -ivh ./libxml2-python-2.5.10-7.i386.rpm # rpm -ivh --replacefiles ./elfutils-libelf-0.94.1-2.i386.rpm <<< should redo with -Uvh??? # rpm -ivh ./elfutils-0.94.1-2.i386.rpm warning: perl-5.8.0-94.EL3.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:perl ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b error: Failed dependencies: patch >= 2.5 is needed by rpm-build-4.2.3-30_nonptl [Expert@ckkpmgr]# '''rpm -ivh ./patch-2.5.4-16.i386.rpm''' warning: ./patch-2.5.4-16.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:patch ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:rpm-libs ########################################### [ 20%] 2:rpm ########################################### [ 40%] 3:rpm-build ########################################### [ 60%] 4:rpm-devel ########################################### [ 80%] 5:rpm-python ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh yum-2.0.8-2.centos3.noarch.rpm''' warning: yum-2.0.8-2.centos3.noarch.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:yum ########################################### [100%] == configuring yum == I don't have the specific details here. You can we search how to setup yum to work with a particular repository. Here is a link to an old one that is still online... [http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/ http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/] == Installing software == Here is my living proof I made yum work on splat... [Expert@ckkpmgr]# '''yum search httpd''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Looking in available packages for a providing package Available package: redhat-config-httpd.noarch 5:1.1.0-4.30.2 from base matches with redhat-config-httpd Available package: httpd-devel.i386 0:2.0.46-77.ent.centos from update matches with httpd-devel Available package: httpd.i386 0:2.0.46-77.ent.centos from update matches with httpd 3 results returned Looking in installed packages for a providing package No packages found [Expert@ckkpmgr]# '''yum install httpd.i386 0:2.0.46-77.ent.centos''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Cannot find a package matching 0:2.0.46-77.ent.centos Resolving dependencies Dependencies resolved I will do the following: [install: httpd 2.0.46-77.ent.centos.i386] Is this ok [y/N]: y Downloading Packages Running test transaction: Test transaction complete, Success! httpd 100 % done 1/1 Installed: httpd 2.0.46-77.ent.centos.i386 '''Transaction(s) Complete''' lets start that apache up shall we? [Expert@ckkpmgr]# '''/etc/init.d/httpd start''' Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 192.168.1.100 for ServerName [ OK ] I can't believe it is running, let me check... [Expert@ckkpmgr]# '''netstat -anp | grep httpd''' tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20186/httpd yep, it is really running [Expert@ckkpmgr]# '''wget http://192.168.1.100/index.html''' --05:42:43-- http://192.168.1.100/index.html => `index.html.1' Connecting to 192.168.1.100:80... connected. HTTP request sent, awaiting response... 200 OK Length: 55 [text/html] 100%[========================================================================================>] 55 --.--K/s 05:42:43 (11.01 MB/s) - `index.html.1' saved [55/55] did I just get a file from my Check Point http server? [Expert@ckkpmgr]# cat index.html <html><body><h 1>'''It works! localhost'''</h 1></body></html> ...yes I did! [[category:splat]] 312 311 2013-11-05T10:51:58Z Nighthawk 1 /* Installing yum */ wikitext text/x-wiki == Installing yum == Command log / list of my successful yum installation on SecurePlatform. It was truly an "rpm hell" experience to determine the required list of rpms and dependencies below. But, that is why I was installing yum... so that I only have to wade through RPM hell one time. If I ever do it again I can clean this command list up, change the order, and eliminate some of the errors. installed this library, from a centos 3.8 installation (I think) # scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ # rpm -ivh ./info-4.5-3.el3.1.i386.rpm # rpm -ivh ./readline-4.3-5.2.i386.rpm # rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm # file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp # rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm # rpm -ivh ./gmp-4.1.2-5.i386.rpm # rpm -ivh python-2.2.3-6.6.i386.rpm # rpm -ivh ./libxml2-2.5.10-7.i386.rpm # rpm -ivh ./libxml2-python-2.5.10-7.i386.rpm # rpm -ivh --replacefiles ./elfutils-libelf-0.94.1-2.i386.rpm <<< should redo with -Uvh??? # rpm -ivh ./elfutils-0.94.1-2.i386.rpm warning: perl-5.8.0-94.EL3.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:perl ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b error: Failed dependencies: patch >= 2.5 is needed by rpm-build-4.2.3-30_nonptl [Expert@ckkpmgr]# '''rpm -ivh ./patch-2.5.4-16.i386.rpm''' warning: ./patch-2.5.4-16.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:patch ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:rpm-libs ########################################### [ 20%] 2:rpm ########################################### [ 40%] 3:rpm-build ########################################### [ 60%] 4:rpm-devel ########################################### [ 80%] 5:rpm-python ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh yum-2.0.8-2.centos3.noarch.rpm''' warning: yum-2.0.8-2.centos3.noarch.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:yum ########################################### [100%] == configuring yum == I don't have the specific details here. You can we search how to setup yum to work with a particular repository. Here is a link to an old one that is still online... [http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/ http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/] == Installing software == Here is my living proof I made yum work on splat... [Expert@ckkpmgr]# '''yum search httpd''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Looking in available packages for a providing package Available package: redhat-config-httpd.noarch 5:1.1.0-4.30.2 from base matches with redhat-config-httpd Available package: httpd-devel.i386 0:2.0.46-77.ent.centos from update matches with httpd-devel Available package: httpd.i386 0:2.0.46-77.ent.centos from update matches with httpd 3 results returned Looking in installed packages for a providing package No packages found [Expert@ckkpmgr]# '''yum install httpd.i386 0:2.0.46-77.ent.centos''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Cannot find a package matching 0:2.0.46-77.ent.centos Resolving dependencies Dependencies resolved I will do the following: [install: httpd 2.0.46-77.ent.centos.i386] Is this ok [y/N]: y Downloading Packages Running test transaction: Test transaction complete, Success! httpd 100 % done 1/1 Installed: httpd 2.0.46-77.ent.centos.i386 '''Transaction(s) Complete''' lets start that apache up shall we? [Expert@ckkpmgr]# '''/etc/init.d/httpd start''' Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 192.168.1.100 for ServerName [ OK ] I can't believe it is running, let me check... [Expert@ckkpmgr]# '''netstat -anp | grep httpd''' tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20186/httpd yep, it is really running [Expert@ckkpmgr]# '''wget http://192.168.1.100/index.html''' --05:42:43-- http://192.168.1.100/index.html => `index.html.1' Connecting to 192.168.1.100:80... connected. HTTP request sent, awaiting response... 200 OK Length: 55 [text/html] 100%[========================================================================================>] 55 --.--K/s 05:42:43 (11.01 MB/s) - `index.html.1' saved [55/55] did I just get a file from my Check Point http server? [Expert@ckkpmgr]# cat index.html <html><body><h 1>'''It works! localhost'''</h 1></body></html> ...yes I did! [[category:splat]] 311 310 2013-11-05T10:45:05Z Nighthawk 1 /* configuring yum */ wikitext text/x-wiki == Installing yum == Command log / list of my successful yum installation on SecurePlatform. If I ever do it again I can clean this command list up, change the order, and eliminate some of the errors. installed this library, from a centos 3.8 installation (I think) # scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ # rpm -ivh ./info-4.5-3.el3.1.i386.rpm # rpm -ivh ./readline-4.3-5.2.i386.rpm # rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm # file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp # rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm # rpm -ivh ./gmp-4.1.2-5.i386.rpm # rpm -ivh python-2.2.3-6.6.i386.rpm # rpm -ivh ./libxml2-2.5.10-7.i386.rpm # rpm -ivh ./libxml2-python-2.5.10-7.i386.rpm # rpm -ivh --replacefiles ./elfutils-libelf-0.94.1-2.i386.rpm <<< should redo with -Uvh??? # rpm -ivh ./elfutils-0.94.1-2.i386.rpm warning: perl-5.8.0-94.EL3.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:perl ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b error: Failed dependencies: patch >= 2.5 is needed by rpm-build-4.2.3-30_nonptl [Expert@ckkpmgr]# '''rpm -ivh ./patch-2.5.4-16.i386.rpm''' warning: ./patch-2.5.4-16.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:patch ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:rpm-libs ########################################### [ 20%] 2:rpm ########################################### [ 40%] 3:rpm-build ########################################### [ 60%] 4:rpm-devel ########################################### [ 80%] 5:rpm-python ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh yum-2.0.8-2.centos3.noarch.rpm''' warning: yum-2.0.8-2.centos3.noarch.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:yum ########################################### [100%] == configuring yum == I don't have the specific details here. You can we search how to setup yum to work with a particular repository. Here is a link to an old one that is still online... [http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/ http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/] == Installing software == Here is my living proof I made yum work on splat... [Expert@ckkpmgr]# '''yum search httpd''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Looking in available packages for a providing package Available package: redhat-config-httpd.noarch 5:1.1.0-4.30.2 from base matches with redhat-config-httpd Available package: httpd-devel.i386 0:2.0.46-77.ent.centos from update matches with httpd-devel Available package: httpd.i386 0:2.0.46-77.ent.centos from update matches with httpd 3 results returned Looking in installed packages for a providing package No packages found [Expert@ckkpmgr]# '''yum install httpd.i386 0:2.0.46-77.ent.centos''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Cannot find a package matching 0:2.0.46-77.ent.centos Resolving dependencies Dependencies resolved I will do the following: [install: httpd 2.0.46-77.ent.centos.i386] Is this ok [y/N]: y Downloading Packages Running test transaction: Test transaction complete, Success! httpd 100 % done 1/1 Installed: httpd 2.0.46-77.ent.centos.i386 '''Transaction(s) Complete''' lets start that apache up shall we? [Expert@ckkpmgr]# '''/etc/init.d/httpd start''' Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 192.168.1.100 for ServerName [ OK ] I can't believe it is running, let me check... [Expert@ckkpmgr]# '''netstat -anp | grep httpd''' tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20186/httpd yep, it is really running [Expert@ckkpmgr]# '''wget http://192.168.1.100/index.html''' --05:42:43-- http://192.168.1.100/index.html => `index.html.1' Connecting to 192.168.1.100:80... connected. HTTP request sent, awaiting response... 200 OK Length: 55 [text/html] 100%[========================================================================================>] 55 --.--K/s 05:42:43 (11.01 MB/s) - `index.html.1' saved [55/55] did I just get a file from my Check Point http server? [Expert@ckkpmgr]# cat index.html <html><body><h 1>'''It works! localhost'''</h 1></body></html> ...yes I did! [[category:splat]] 310 309 2013-11-05T10:44:50Z Nighthawk 1 /* Installing yum */ wikitext text/x-wiki == Installing yum == Command log / list of my successful yum installation on SecurePlatform. If I ever do it again I can clean this command list up, change the order, and eliminate some of the errors. installed this library, from a centos 3.8 installation (I think) # scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ # rpm -ivh ./info-4.5-3.el3.1.i386.rpm # rpm -ivh ./readline-4.3-5.2.i386.rpm # rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm # file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp # rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm # rpm -ivh ./gmp-4.1.2-5.i386.rpm # rpm -ivh python-2.2.3-6.6.i386.rpm # rpm -ivh ./libxml2-2.5.10-7.i386.rpm # rpm -ivh ./libxml2-python-2.5.10-7.i386.rpm # rpm -ivh --replacefiles ./elfutils-libelf-0.94.1-2.i386.rpm <<< should redo with -Uvh??? # rpm -ivh ./elfutils-0.94.1-2.i386.rpm warning: perl-5.8.0-94.EL3.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:perl ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b error: Failed dependencies: patch >= 2.5 is needed by rpm-build-4.2.3-30_nonptl [Expert@ckkpmgr]# '''rpm -ivh ./patch-2.5.4-16.i386.rpm''' warning: ./patch-2.5.4-16.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:patch ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:rpm-libs ########################################### [ 20%] 2:rpm ########################################### [ 40%] 3:rpm-build ########################################### [ 60%] 4:rpm-devel ########################################### [ 80%] 5:rpm-python ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh yum-2.0.8-2.centos3.noarch.rpm''' warning: yum-2.0.8-2.centos3.noarch.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:yum ########################################### [100%] == configuring yum == I don't have the specific details here. You can we search how to setup yum to work with a particular repository. Here is a link to an old one that is still online... [http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/ http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/] == Installing software == Here is my living proof I made yum work on splat... [Expert@ckkpmgr]# '''yum search httpd''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Looking in available packages for a providing package Available package: redhat-config-httpd.noarch 5:1.1.0-4.30.2 from base matches with redhat-config-httpd Available package: httpd-devel.i386 0:2.0.46-77.ent.centos from update matches with httpd-devel Available package: httpd.i386 0:2.0.46-77.ent.centos from update matches with httpd 3 results returned Looking in installed packages for a providing package No packages found [Expert@ckkpmgr]# '''yum install httpd.i386 0:2.0.46-77.ent.centos''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Cannot find a package matching 0:2.0.46-77.ent.centos Resolving dependencies Dependencies resolved I will do the following: [install: httpd 2.0.46-77.ent.centos.i386] Is this ok [y/N]: y Downloading Packages Running test transaction: Test transaction complete, Success! httpd 100 % done 1/1 Installed: httpd 2.0.46-77.ent.centos.i386 '''Transaction(s) Complete''' lets start that apache up shall we? [Expert@ckkpmgr]# '''/etc/init.d/httpd start''' Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 192.168.1.100 for ServerName [ OK ] I can't believe it is running, let me check... [Expert@ckkpmgr]# '''netstat -anp | grep httpd''' tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20186/httpd yep, it is really running [Expert@ckkpmgr]# '''wget http://192.168.1.100/index.html''' --05:42:43-- http://192.168.1.100/index.html => `index.html.1' Connecting to 192.168.1.100:80... connected. HTTP request sent, awaiting response... 200 OK Length: 55 [text/html] 100%[========================================================================================>] 55 --.--K/s 05:42:43 (11.01 MB/s) - `index.html.1' saved [55/55] did I just get a file from my Check Point http server? [Expert@ckkpmgr]# cat index.html <html><body><h 1>'''It works! localhost'''</h 1></body></html> ...yes I did! [[category:splat]] 309 308 2013-11-05T10:43:14Z Nighthawk 1 /* Installing software */ wikitext text/x-wiki == Installing yum == Command log / list of my successful yum installation on SecurePlatform installed this library, from a centos 3.8 installation (I think) # scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ # rpm -ivh ./info-4.5-3.el3.1.i386.rpm # rpm -ivh ./readline-4.3-5.2.i386.rpm # rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm # file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp # rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm # rpm -ivh ./gmp-4.1.2-5.i386.rpm # rpm -ivh python-2.2.3-6.6.i386.rpm # rpm -ivh ./libxml2-2.5.10-7.i386.rpm # rpm -ivh ./libxml2-python-2.5.10-7.i386.rpm # rpm -ivh --replacefiles ./elfutils-libelf-0.94.1-2.i386.rpm <<< should redo with -Uvh??? # rpm -ivh ./elfutils-0.94.1-2.i386.rpm warning: perl-5.8.0-94.EL3.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:perl ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b error: Failed dependencies: patch >= 2.5 is needed by rpm-build-4.2.3-30_nonptl [Expert@ckkpmgr]# '''rpm -ivh ./patch-2.5.4-16.i386.rpm''' warning: ./patch-2.5.4-16.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:patch ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:rpm-libs ########################################### [ 20%] 2:rpm ########################################### [ 40%] 3:rpm-build ########################################### [ 60%] 4:rpm-devel ########################################### [ 80%] 5:rpm-python ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh yum-2.0.8-2.centos3.noarch.rpm''' warning: yum-2.0.8-2.centos3.noarch.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:yum ########################################### [100%] == configuring yum == I don't have the specific details here. You can we search how to setup yum to work with a particular repository. Here is a link to an old one that is still online... [http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/ http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/] == Installing software == Here is my living proof I made yum work on splat... [Expert@ckkpmgr]# '''yum search httpd''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Looking in available packages for a providing package Available package: redhat-config-httpd.noarch 5:1.1.0-4.30.2 from base matches with redhat-config-httpd Available package: httpd-devel.i386 0:2.0.46-77.ent.centos from update matches with httpd-devel Available package: httpd.i386 0:2.0.46-77.ent.centos from update matches with httpd 3 results returned Looking in installed packages for a providing package No packages found [Expert@ckkpmgr]# '''yum install httpd.i386 0:2.0.46-77.ent.centos''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Cannot find a package matching 0:2.0.46-77.ent.centos Resolving dependencies Dependencies resolved I will do the following: [install: httpd 2.0.46-77.ent.centos.i386] Is this ok [y/N]: y Downloading Packages Running test transaction: Test transaction complete, Success! httpd 100 % done 1/1 Installed: httpd 2.0.46-77.ent.centos.i386 '''Transaction(s) Complete''' lets start that apache up shall we? [Expert@ckkpmgr]# '''/etc/init.d/httpd start''' Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 192.168.1.100 for ServerName [ OK ] I can't believe it is running, let me check... [Expert@ckkpmgr]# '''netstat -anp | grep httpd''' tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20186/httpd yep, it is really running [Expert@ckkpmgr]# '''wget http://192.168.1.100/index.html''' --05:42:43-- http://192.168.1.100/index.html => `index.html.1' Connecting to 192.168.1.100:80... connected. HTTP request sent, awaiting response... 200 OK Length: 55 [text/html] 100%[========================================================================================>] 55 --.--K/s 05:42:43 (11.01 MB/s) - `index.html.1' saved [55/55] did I just get a file from my Check Point http server? [Expert@ckkpmgr]# cat index.html <html><body><h 1>'''It works! localhost'''</h 1></body></html> ...yes I did! [[category:splat]] 308 307 2013-11-05T10:39:41Z Nighthawk 1 /* Installing software */ wikitext text/x-wiki == Installing yum == Command log / list of my successful yum installation on SecurePlatform installed this library, from a centos 3.8 installation (I think) # scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ # rpm -ivh ./info-4.5-3.el3.1.i386.rpm # rpm -ivh ./readline-4.3-5.2.i386.rpm # rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm # file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp # rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm # rpm -ivh ./gmp-4.1.2-5.i386.rpm # rpm -ivh python-2.2.3-6.6.i386.rpm # rpm -ivh ./libxml2-2.5.10-7.i386.rpm # rpm -ivh ./libxml2-python-2.5.10-7.i386.rpm # rpm -ivh --replacefiles ./elfutils-libelf-0.94.1-2.i386.rpm <<< should redo with -Uvh??? # rpm -ivh ./elfutils-0.94.1-2.i386.rpm warning: perl-5.8.0-94.EL3.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:perl ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b error: Failed dependencies: patch >= 2.5 is needed by rpm-build-4.2.3-30_nonptl [Expert@ckkpmgr]# '''rpm -ivh ./patch-2.5.4-16.i386.rpm''' warning: ./patch-2.5.4-16.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:patch ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:rpm-libs ########################################### [ 20%] 2:rpm ########################################### [ 40%] 3:rpm-build ########################################### [ 60%] 4:rpm-devel ########################################### [ 80%] 5:rpm-python ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh yum-2.0.8-2.centos3.noarch.rpm''' warning: yum-2.0.8-2.centos3.noarch.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:yum ########################################### [100%] == configuring yum == I don't have the specific details here. You can we search how to setup yum to work with a particular repository. Here is a link to an old one that is still online... [http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/ http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/] == Installing software == Here is my living proof I made yum work on splat... [Expert@ckkpmgr]# '''yum search httpd''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Looking in available packages for a providing package Available package: redhat-config-httpd.noarch 5:1.1.0-4.30.2 from base matches with redhat-config-httpd Available package: httpd-devel.i386 0:2.0.46-77.ent.centos from update matches with httpd-devel Available package: httpd.i386 0:2.0.46-77.ent.centos from update matches with httpd 3 results returned Looking in installed packages for a providing package No packages found [Expert@ckkpmgr]# '''yum install httpd.i386 0:2.0.46-77.ent.centos''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Cannot find a package matching 0:2.0.46-77.ent.centos Resolving dependencies Dependencies resolved I will do the following: [install: httpd 2.0.46-77.ent.centos.i386] Is this ok [y/N]: y Downloading Packages Running test transaction: Test transaction complete, Success! httpd 100 % done 1/1 Installed: httpd 2.0.46-77.ent.centos.i386 '''Transaction(s) Complete''' lets start that apache up shall we? [Expert@ckkpmgr]# '''/etc/init.d/httpd start''' Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 192.168.1.100 for ServerName [ OK ] I can't believe it is running, let me check... [Expert@ckkpmgr]# '''netstat -anp | grep httpd''' tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20186/httpd yep, it is really running [Expert@ckkpmgr]# '''wget http://192.168.1.100/index.html''' --05:42:43-- http://192.168.1.100/index.html => `index.html.1' Connecting to 192.168.1.100:80... connected. HTTP request sent, awaiting response... 200 OK Length: 55 [text/html] 100%[========================================================================================>] 55 --.--K/s 05:42:43 (11.01 MB/s) - `index.html.1' saved [55/55] did I just get a file from my Check Point http server? [Expert@ckkpmgr]# cat index.html <html><body><h1>'''It works! localhost'''</h1></body></html> ...yes I did! [[category:splat]] 307 306 2013-11-05T10:39:18Z Nighthawk 1 /* Installing software */ wikitext text/x-wiki == Installing yum == Command log / list of my successful yum installation on SecurePlatform installed this library, from a centos 3.8 installation (I think) # scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ # rpm -ivh ./info-4.5-3.el3.1.i386.rpm # rpm -ivh ./readline-4.3-5.2.i386.rpm # rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm # file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp # rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm # rpm -ivh ./gmp-4.1.2-5.i386.rpm # rpm -ivh python-2.2.3-6.6.i386.rpm # rpm -ivh ./libxml2-2.5.10-7.i386.rpm # rpm -ivh ./libxml2-python-2.5.10-7.i386.rpm # rpm -ivh --replacefiles ./elfutils-libelf-0.94.1-2.i386.rpm <<< should redo with -Uvh??? # rpm -ivh ./elfutils-0.94.1-2.i386.rpm warning: perl-5.8.0-94.EL3.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:perl ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b error: Failed dependencies: patch >= 2.5 is needed by rpm-build-4.2.3-30_nonptl [Expert@ckkpmgr]# '''rpm -ivh ./patch-2.5.4-16.i386.rpm''' warning: ./patch-2.5.4-16.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:patch ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:rpm-libs ########################################### [ 20%] 2:rpm ########################################### [ 40%] 3:rpm-build ########################################### [ 60%] 4:rpm-devel ########################################### [ 80%] 5:rpm-python ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh yum-2.0.8-2.centos3.noarch.rpm''' warning: yum-2.0.8-2.centos3.noarch.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:yum ########################################### [100%] == configuring yum == I don't have the specific details here. You can we search how to setup yum to work with a particular repository. Here is a link to an old one that is still online... [http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/ http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/] == Installing software == Here is my living proof I made yum work on splat... [Expert@ckkpmgr]# '''yum search httpd''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Looking in available packages for a providing package Available package: redhat-config-httpd.noarch 5:1.1.0-4.30.2 from base matches with redhat-config-httpd Available package: httpd-devel.i386 0:2.0.46-77.ent.centos from update matches with httpd-devel Available package: httpd.i386 0:2.0.46-77.ent.centos from update matches with httpd 3 results returned Looking in installed packages for a providing package No packages found [Expert@ckkpmgr]# '''yum install httpd.i386 0:2.0.46-77.ent.centos''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Cannot find a package matching 0:2.0.46-77.ent.centos Resolving dependencies Dependencies resolved I will do the following: [install: httpd 2.0.46-77.ent.centos.i386] Is this ok [y/N]: y Downloading Packages Running test transaction: Test transaction complete, Success! httpd 100 % done 1/1 Installed: httpd 2.0.46-77.ent.centos.i386 '''Transaction(s) Complete''' lets start that apache up shall we? [Expert@ckkpmgr]# '''/etc/init.d/httpd start''' Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 192.168.1.100 for ServerName [ OK ] I can't believe it is running, let me check... [Expert@ckkpmgr]# '''netstat -anp | grep httpd''' tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20186/httpd yep, it is really running [Expert@ckkpmgr]# '''wget http://192.168.175.100/index.html''' --05:42:43-- http://192.168.1.100/index.html => `index.html.1' Connecting to 192.168.1.100:80... connected. HTTP request sent, awaiting response... 200 OK Length: 55 [text/html] 100%[========================================================================================>] 55 --.--K/s 05:42:43 (11.01 MB/s) - `index.html.1' saved [55/55] did I just get a file from my Check Point http server? [Expert@ckkpmgr]# cat index.html <html><body><h1>'''It works! localhost'''</h1></body></html> ...yes I did! [[category:splat]] 306 305 2013-11-05T10:38:54Z Nighthawk 1 /* Installing software */ wikitext text/x-wiki == Installing yum == Command log / list of my successful yum installation on SecurePlatform installed this library, from a centos 3.8 installation (I think) # scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ # rpm -ivh ./info-4.5-3.el3.1.i386.rpm # rpm -ivh ./readline-4.3-5.2.i386.rpm # rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm # file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp # rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm # rpm -ivh ./gmp-4.1.2-5.i386.rpm # rpm -ivh python-2.2.3-6.6.i386.rpm # rpm -ivh ./libxml2-2.5.10-7.i386.rpm # rpm -ivh ./libxml2-python-2.5.10-7.i386.rpm # rpm -ivh --replacefiles ./elfutils-libelf-0.94.1-2.i386.rpm <<< should redo with -Uvh??? # rpm -ivh ./elfutils-0.94.1-2.i386.rpm warning: perl-5.8.0-94.EL3.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:perl ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b error: Failed dependencies: patch >= 2.5 is needed by rpm-build-4.2.3-30_nonptl [Expert@ckkpmgr]# '''rpm -ivh ./patch-2.5.4-16.i386.rpm''' warning: ./patch-2.5.4-16.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:patch ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:rpm-libs ########################################### [ 20%] 2:rpm ########################################### [ 40%] 3:rpm-build ########################################### [ 60%] 4:rpm-devel ########################################### [ 80%] 5:rpm-python ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh yum-2.0.8-2.centos3.noarch.rpm''' warning: yum-2.0.8-2.centos3.noarch.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:yum ########################################### [100%] == configuring yum == I don't have the specific details here. You can we search how to setup yum to work with a particular repository. Here is a link to an old one that is still online... [http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/ http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/] == Installing software == Here is my living proof I made yum work on splat... [Expert@ckkpmgr]# '''yum search httpd''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Looking in available packages for a providing package Available package: redhat-config-httpd.noarch 5:1.1.0-4.30.2 from base matches with redhat-config-httpd Available package: httpd-devel.i386 0:2.0.46-77.ent.centos from update matches with httpd-devel Available package: httpd.i386 0:2.0.46-77.ent.centos from update matches with httpd 3 results returned Looking in installed packages for a providing package No packages found [Expert@ckkpmgr]# '''yum install httpd.i386 0:2.0.46-77.ent.centos''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Cannot find a package matching 0:2.0.46-77.ent.centos Resolving dependencies Dependencies resolved I will do the following: [install: httpd 2.0.46-77.ent.centos.i386] Is this ok [y/N]: y Downloading Packages Running test transaction: Test transaction complete, Success! httpd 100 % done 1/1 Installed: httpd 2.0.46-77.ent.centos.i386 '''Transaction(s) Complete''' lets start that apache up shall we? [Expert@ckkpmgr]# '''/etc/init.d/httpd start''' Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 192.168.1.100 for ServerName [ OK ] I can't believe it is running, let me check... [Expert@ckkpmgr]# '''netstat -anp | grep httpd''' tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20186/httpd yep, it is really running [Expert@ckkpmgr]# '''wget http://192.168.175.100/index.html''' --05:42:43-- http://192.168.175.100/index.html => `index.html.1' Connecting to 192.168.175.100:80... connected. HTTP request sent, awaiting response... 200 OK Length: 55 [text/html] 100%[========================================================================================>] 55 --.--K/s 05:42:43 (11.01 MB/s) - `index.html.1' saved [55/55] did I just get a file from my Check Point http server? [Expert@ckkpmgr]# cat index.html <html><body><h1>'''It works! localhost'''</h1></body></html> ...yes I did! [[category:splat]] 305 303 2013-11-05T10:38:01Z Nighthawk 1 wikitext text/x-wiki == Installing yum == Command log / list of my successful yum installation on SecurePlatform installed this library, from a centos 3.8 installation (I think) # scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ # rpm -ivh ./info-4.5-3.el3.1.i386.rpm # rpm -ivh ./readline-4.3-5.2.i386.rpm # rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm # file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp # rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm # rpm -ivh ./gmp-4.1.2-5.i386.rpm # rpm -ivh python-2.2.3-6.6.i386.rpm # rpm -ivh ./libxml2-2.5.10-7.i386.rpm # rpm -ivh ./libxml2-python-2.5.10-7.i386.rpm # rpm -ivh --replacefiles ./elfutils-libelf-0.94.1-2.i386.rpm <<< should redo with -Uvh??? # rpm -ivh ./elfutils-0.94.1-2.i386.rpm warning: perl-5.8.0-94.EL3.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:perl ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b error: Failed dependencies: patch >= 2.5 is needed by rpm-build-4.2.3-30_nonptl [Expert@ckkpmgr]# '''rpm -ivh ./patch-2.5.4-16.i386.rpm''' warning: ./patch-2.5.4-16.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:patch ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:rpm-libs ########################################### [ 20%] 2:rpm ########################################### [ 40%] 3:rpm-build ########################################### [ 60%] 4:rpm-devel ########################################### [ 80%] 5:rpm-python ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh yum-2.0.8-2.centos3.noarch.rpm''' warning: yum-2.0.8-2.centos3.noarch.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:yum ########################################### [100%] == configuring yum == I don't have the specific details here. You can we search how to setup yum to work with a particular repository. Here is a link to an old one that is still online... [http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/ http://mirror.hmc.edu/centos/3.8/os/i386/RedHat/RPMS/] == Installing software == Here is my living proof I made yum work on splat... [Expert@ckkpmgr]# '''yum search httpd''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Looking in available packages for a providing package Available package: redhat-config-httpd.noarch 5:1.1.0-4.30.2 from base matches with redhat-config-httpd Available package: httpd-devel.i386 0:2.0.46-77.ent.centos from update matches with httpd-devel Available package: httpd.i386 0:2.0.46-77.ent.centos from update matches with httpd 3 results returned Looking in installed packages for a providing package No packages found [Expert@ckkpmgr]# '''yum install httpd.i386 0:2.0.46-77.ent.centos''' Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 - Base Server: CentOS-3 - Extras Server: CentOS-3 - Updates Finding updated packages Downloading needed headers Cannot find a package matching 0:2.0.46-77.ent.centos Resolving dependencies Dependencies resolved I will do the following: [install: httpd 2.0.46-77.ent.centos.i386] Is this ok [y/N]: y Downloading Packages Running test transaction: Test transaction complete, Success! httpd 100 % done 1/1 Installed: httpd 2.0.46-77.ent.centos.i386 '''Transaction(s) Complete''' [Expert@ckkpmgr]# /etc/init.d/httpd start Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 192.168.1.100 for ServerName [ OK ] I can't believe it is running, let me check... [Expert@ckkpmgr]# '''netstat -anp | grep httpd''' tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20186/httpd yep, it is really running [Expert@ckkpmgr]# '''wget http://192.168.175.100/index.html''' --05:42:43-- http://192.168.175.100/index.html => `index.html.1' Connecting to 192.168.175.100:80... connected. HTTP request sent, awaiting response... 200 OK Length: 55 [text/html] 100%[========================================================================================>] 55 --.--K/s 05:42:43 (11.01 MB/s) - `index.html.1' saved [55/55] did I just get a file from my Check Point http server? [Expert@ckkpmgr]# cat index.html <html><body><h1>'''It works! localhost'''</h1></body></html> ...yes I did! [[category:splat]] 303 195 2013-11-05T10:09:42Z Nighthawk 1 wikitext text/x-wiki Command log / list of my successful yum installation on SecurePlatform installed this library, from a centos 3.8 installation (I think) # scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ # rpm -ivh ./info-4.5-3.el3.1.i386.rpm # rpm -ivh ./readline-4.3-5.2.i386.rpm # rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm # file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp # rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm # rpm -ivh ./gmp-4.1.2-5.i386.rpm # rpm -ivh python-2.2.3-6.6.i386.rpm # rpm -ivh ./libxml2-2.5.10-7.i386.rpm # rpm -ivh ./libxml2-python-2.5.10-7.i386.rpm # rpm -ivh --replacefiles ./elfutils-libelf-0.94.1-2.i386.rpm <<< should redo with -Uvh??? # rpm -ivh ./elfutils-0.94.1-2.i386.rpm warning: perl-5.8.0-94.EL3.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:perl ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b error: Failed dependencies: patch >= 2.5 is needed by rpm-build-4.2.3-30_nonptl [Expert@ckkpmgr]# '''rpm -ivh ./patch-2.5.4-16.i386.rpm''' warning: ./patch-2.5.4-16.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:patch ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh rpm*30*''' warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:rpm-libs ########################################### [ 20%] 2:rpm ########################################### [ 40%] 3:rpm-build ########################################### [ 60%] 4:rpm-devel ########################################### [ 80%] 5:rpm-python ########################################### [100%] [Expert@ckkpmgr]# '''rpm -Uvh yum-2.0.8-2.centos3.noarch.rpm''' warning: yum-2.0.8-2.centos3.noarch.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:yum ########################################### [100%] [[category:splat]] 195 194 2013-07-22T19:52:19Z Nighthawk 1 wikitext text/x-wiki scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ rpm -ivh ./info-4.5-3.el3.1.i386.rpm rpm -ivh ./readline-4.3-5.2.i386.rpm rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm rpm -ivh ./gmp-4.1.2-5.i386.rpm rpm -ivh python-2.2.3-6.6.i386.rpm rpm -ivh ./libxml2-2.5.10-7.i386.rpm rpm -ivh ./libxml2-python-2.5.10-7.i386.rpm rpm -ivh --replacefiles ./elfutils-libelf-0.94.1-2.i386.rpm <<< should redo with -Uvh??? rpm -ivh ./elfutils-0.94.1-2.i386.rpm warning: perl-5.8.0-94.EL3.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:perl ########################################### [100%] [Expert@ckkpmgr]# rpm -Uvh rpm*30* warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b error: Failed dependencies: patch >= 2.5 is needed by rpm-build-4.2.3-30_nonptl [Expert@ckkpmgr]# rpm -ivh ./patch-2.5.4-16.i386.rpm warning: ./patch-2.5.4-16.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:patch ########################################### [100%] [Expert@ckkpmgr]# rpm -Uvh rpm*30* warning: rpm-4.2.3-30_nonptl.i386.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:rpm-libs ########################################### [ 20%] 2:rpm ########################################### [ 40%] 3:rpm-build ########################################### [ 60%] 4:rpm-devel ########################################### [ 80%] 5:rpm-python ########################################### [100%] [Expert@ckkpmgr]# rpm -Uvh yum-2.0.8-2.centos3.noarch.rpm warning: yum-2.0.8-2.centos3.noarch.rpm: V3 DSA signature: NOKEY, key ID 025e513b Preparing... ########################################### [100%] 1:yum ########################################### [100%] 194 193 2013-07-22T19:11:22Z Nighthawk 1 wikitext text/x-wiki scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ rpm -ivh ./info-4.5-3.el3.1.i386.rpm rpm -ivh ./readline-4.3-5.2.i386.rpm rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm rpm -ivh ./gmp-4.1.2-5.i386.rpm rpm -ivh python-2.2.3-6.6.i386.rpm rpm -ivh ./libxml2-2.5.10-7.i386.rpm rpm -ivh ./libxml2-python-2.5.10-7.i386.rpm rpm -ivh --replacefiles ./elfutils-libelf-0.94.1-2.i386.rpm <<< should redo with -Uvh??? rpm -ivh ./elfutils-0.94.1-2.i386.rpm 193 2013-07-22T18:08:16Z Nighthawk 1 Created page with " scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ rpm -ivh ./info-4.5-3.el3.1.i386.rpm rpm -ivh ./readline-4.3-5.2.i386.rpm rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm ***..." wikitext text/x-wiki scp /lib/libssl.so.0.9.7a admin@192.168.175.100:/lib/ rpm -ivh ./info-4.5-3.el3.1.i386.rpm rpm -ivh ./readline-4.3-5.2.i386.rpm rpm -ivh ./krb5-libs-1.2.7-66.i386.rpm *** failed **** rpm -ivh ./openssl-0.9.7a-33.23.i686.rpm file /lib/libcrypto.so.0.9.7a from install of openssl-0.9.7a-33.23 conflicts with file from package openssl-libcrypto-0.9.7a-36cp rpm -ivh --replacefiles ./openssl-0.9.7a-33.23.i686.rpm rpm -ivh ./gmp-4.1.2-5.i386.rpm rpm -ivh python-2.2.3-6.6.i386.rpm User:Duh123 2 196 590 2016-06-17T03:14:18Z Nighthawk 1 Creating user page for new user. wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 User:Lasttry2 2 197 592 2016-07-07T19:37:23Z Nighthawk 1 Creating user page for new user. wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:12400 front.png 6 164 444 442 2014-05-10T22:05:11Z Nighthawk 1 uploaded a new version of "[[File:12400 front.png]]" wikitext text/x-wiki 442 2014-05-10T22:03:42Z Nighthawk 1 wikitext text/x-wiki File:61000 cmm diagram-desc.png 6 136 354 2014-03-08T05:28:53Z Nighthawk 1 wikitext text/x-wiki File:61000 front panel.png 6 133 349 2014-03-08T05:16:38Z Nighthawk 1 wikitext text/x-wiki File:61000 front panel description.png 6 135 352 2014-03-08T05:23:36Z Nighthawk 1 wikitext text/x-wiki File:61k global cmds.png 6 175 492 2014-06-06T20:51:37Z Nighthawk 1 wikitext text/x-wiki File:chkp mgmt ha sync error.png 6 74 105 2013-05-21T06:41:01Z Nighthawk 1 wikitext text/x-wiki File:chkp vrrp cluster config-1.png 6 122 248 2013-09-15T08:21:20Z Nighthawk 1 wikitext text/x-wiki File:chkp vrrp rule.png 6 121 231 2013-09-13T21:16:04Z Nighthawk 1 wikitext text/x-wiki File:cp mgmt api enable all IPs.png 6 230 745 2018-04-22T21:37:52Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:cpportsr77.png 6 229 718 2018-03-16T15:14:06Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:gateway view.png 6 235 763 762 2018-04-24T17:21:24Z Nighthawk 1 Nighthawk uploaded a new version of "[[File:gateway view.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 762 2018-04-24T17:14:47Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:global assing.png 6 232 755 2018-04-24T15:28:56Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:install AND publish.png 6 239 779 2018-05-03T21:09:12Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:install select package.png 6 240 780 2018-05-03T21:11:40Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:install status.png 6 242 782 2018-05-03T21:31:22Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:log file open.png 6 243 784 783 2018-05-04T17:25:17Z Nighthawk 1 Nighthawk uploaded a new version of "[[File:log file open.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 783 2018-05-04T15:51:34Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:log servers list.png 6 244 785 2018-05-04T17:34:55Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:mds login.png 6 233 778 756 2018-05-03T15:31:42Z Nighthawk 1 Nighthawk uploaded a new version of "[[File:mds login.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 756 2018-04-24T15:29:33Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:multidomain view.png 6 234 759 757 2018-04-24T16:04:02Z Nighthawk 1 Nighthawk uploaded a new version of "[[File:multidomain view.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 757 2018-04-24T15:29:44Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:object locked.png 6 237 770 2018-04-24T21:35:50Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:pan load migrated config nat rule errors.png 6 61 82 2013-04-26T17:49:11Z Nighthawk 1 pan load migrated config nat rule errors wikitext text/x-wiki pan load migrated config nat rule errors File:publish.png 6 241 781 2018-05-03T21:16:33Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:session disconnected.png 6 236 772 768 2018-04-24T21:41:37Z Nighthawk 1 Nighthawk uploaded a new version of "[[File:session disconnected.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 768 2018-04-24T21:31:26Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:snx-1.png 6 158 433 2014-05-06T04:21:43Z Nighthawk 1 wikitext text/x-wiki File:snx-2.png 6 160 435 2014-05-06T04:22:56Z Nighthawk 1 wikitext text/x-wiki File:snx-4.png 6 162 437 2014-05-06T04:39:09Z Nighthawk 1 wikitext text/x-wiki File:unified and legacy consoles.png 6 238 775 2018-05-01T19:54:51Z Nighthawk 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 File:wine32 smartconsole install-bad.png 6 172 484 2014-05-26T20:44:20Z Nighthawk 1 wikitext text/x-wiki File:wine32 smartconsole install-ok.png 6 171 483 2014-05-26T20:43:31Z Nighthawk 1 wikitext text/x-wiki File:wine smartconsole install-winver.png 6 170 480 2014-05-26T20:39:29Z Nighthawk 1 wikitext text/x-wiki